You know that old saying, the more things change the more things stay the same. The Storm botnet trojan is a good representation of that. The spam botnet first appeared in mid-2006, characterized by bogus ecards and equally bogus breaking news alerts. The links contained in these deceptive spam email point to malicious binaries that install the first stage of the Storm botnet infection.

In January 2007, one of the Storm email messages read, "230 dead as storm batters Europe". That email coincided with a very real storm in Europe in which some deaths had occurred, thus earning the trojan the nickname "Storm".

Every holiday, every major news story, and certainly ever weather disaster since has resulted in a flood (no pun intended) of Storm email. The latest, predictably, are scam email masquerading as news stories about or speeches from the inaugaration of President Barak Obama.

The good news is that while Storm stays the same, user behavior does appear to be changing. In August 2008, 7% of Web-malware blocked by ScanSafe resulted from social engineered scams received in webmail. In December 2008, the volume was 1.5% and thus far in January it's just under 0.5%. So while the volume of Storm email may increase at every opportunity, the open rate of those bogus email (i.e. the number of persons fooled) appears to be decreasing. Now that's one trend we would definitely like to see continue!