Orange County Security SIG

Notes and comments of a Special Interest Group on computer security.

October 07, 2007

 

storm Worm

Overview

Something seems to be cooking but nobody really knows what is in the pot.

It's called the Storm Worm and it goes by a couple dozen different aliases. It first was noticed in January 2007 and has been slowly growing every since. But all it does so far is spread spam and occasionally attacks anti-spyware web sites. It has such a low profile that it is able to get around even the more sophisticated anti-spyware techniques used at Google.

It is slow and initially non-threatening like the syphilis virus. It's redundant with no central leadership and it's broken into small cells just like al-Queda. It also attacks people who criticize it and it keeps people from opposing it like the Italian Mafia or the Blood-N-Crips. Some compare its slow persistence to an ant colony and its current power to more than all the super computers in the world today.

A poster at Bruce Schneiders blog summed it up rather nicely: "why does evil have to be so awesome?"

Nobody is really sure just what it does. Was it meant to spread spam or to do Denial of Service attacks? Maybe someone is building a huge army of zombies for later use. That theory has been used for other infections before but this time it might be right. Only time will tell.

Many can't even decide what to categorize it as. Is it a virus, a worm, or a trojan horse. Well it doesn't have any method to re-create itself or to infect an executable file like a virus does. It is usually refered to as a worm but spreads itself by hitch-hiking on a probably harmless file like a Trojan Horse. So Trojan Horse it seems to be, but that is not what people know it by.

Then there is the uncertainty of who is behind it. Not only who wrote it, but who controls it now and who will control it when it decides to be malicious. Some experts think it was a group of Russian teens and others think it can be blamed on the spam kings like Leo Kuvayev.

Sometimes you'll see it in PDF spam, uTube videos, ecards, pump-n-dump schemes, love related spam, politically related spam, IMs, and blog posts.

methods of attackpossible defensesremoval (as per Symantec)
  1. run a system scan with system restore turned off & updated sigs
  2. remove the following entry from the registry
    hkey_local_machine\system\currentcontrolset\services\wincom32

Technical details:

subject lines:

Who ever controls it sure knows how to push peoples buttons so they will click the proper a button.

Namesattachmentsactions during infection
  1. drops device driver
  2. install the device driver as a service (via registry entry)
  3. reboots the computer without prompt
  4. drops an encrypted list of initial peers
actions during execution
  1. the device service injects a module into the services.exe process.
  2. hides the device service and its file
  3. communicates with P2P via encrypted UDP
  4. registers compromised computer as a peer in the P2P network
  5. learns what files to download and execute.
  6. learns about additional peers
  7. updates its own peer list file with the gathered information.
  8. downloads and executes the following file
  9. game0.exe, game1.exe, game2.exe, game3.exe
  10. occationally attacks websites that analyze it
  11. attack a site that visits the URL more than x times in Y minutes
files added during infectionfiles downloadedregistry entries created during infectionnetwork activity

Miscellaneous quotes and a timeline

January
  • it was discovered on the 19th
  • 8% of all infections on Window computers- (Institute for Ethics & Technologies)
  • McAfee raise its risk assessment to Low-Profile due to its prevalence.
  • Symantec Security Response raised this threat to category 3
  • Fortinet ranked it as the fourth worst threat in February ... - ITWEEK
February
  • 39% (1 in 256) of all emails were infected - Sophos
  • it accounted for almost 4% of all infections in February - vnunet.com
March
  • Storm Worm made up 50.3 per cent of all malware tracked by Sophos - ITWEEK March 2007
August
  • started using Blogs with the option to post via email (Sunbelt)
  • started getting around CAPTCHAs (Sunbelt)
September
  • [its power is now] four million times a standard ADSL connection. - Info Week
  • it is now strong enough to force entire countries off Inet (ITweek)
  • on the 17th it infected the GOP web-site (The Register & ComputerWorld)
  • on the 25th Microsoft's MSRT (mal. sw. removal tool) cut bot-net size by 20%
  • started Denial of Service attacks on anti-spyware and anti-spam sites
    • spamhaus.org
    • 419eater
    • Joe Stewarts personal website

References


Comments: Post a Comment

Links to this post:

Create a Link



<< Home

Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.

SECSIG meets in the Science building 203 at 11:15 am.

By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.

The RSS feed address is http://ocsecsig.blogspot.com/atom.xml

Dave Keays, SIG leader

This page is powered by Blogger. Isn't yours?