Brandon Enright told the Toorcon hacker conference in San Diego he had been following the Zhelatin Trojan's progress since July and believes its effects have been significantly reduced.
"The size of the network has been falling pretty rapidly and pretty consistently," Enright said.
The researcher pointed to a concerted email attack in July, when Storm is thought to have infected about 1.5 million PCs.
Enright said that out of these machines, around 200,000 were accessible by the Trojan writers at any time.
However, since July he said anti-virus vendors had worked hard to identify affected machines and clean them up, including an important addition to the Microsoft Malicious Software Removal tool.
Those efforts had reduced the Storm network to just 160,000 PCs, with 20,000 infected computers available for use by the Trojan, Enright said.
His research was backed up by September's figures from security company Kaspersky.
Despite a rapid increase in August, where Kaspersky said reports put the botnet created by the worm at two million infected computers, the following month was very quiet.
"September was remarkably calm from this point of view," a Kaspersky spokesman said.
"Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere."
The Trojan was named Storm Worm as it originally used a spam email touting news about high winds in Europe to spread to users.
Storm Worm may have blown itself out
By Matt Chapman on Oct 23, 2007 6:53AM