Orange County Security SIG

Something seems to be cooking but nobody really knows what is in the pot.

It's called the Storm Worm and it goes by a couple dozen different aliases. It first was noticed in January 2007 and has been slowly growing every since. But all it does so far is spread spam and occasionally attacks anti-spyware web sites. It has such a low profile that it is able to get around even the more sophisticated anti-spyware techniques used at Google.

It is slow and initially non-threatening like the syphilis virus. It's redundant with no central leadership and it's broken into small cells just like al-Queda. It also attacks people who criticize it and it keeps people from opposing it like the Italian Mafia or the Blood-N-Crips. Some compare its slow persistence to an ant colony and its current power to more than all the super computers in the world today.

A poster at Bruce Schneiders blog summed it up rather nicely: "why does evil have to be so awesome?"

Nobody is really sure just what it does. Was it meant to spread spam or to do Denial of Service attacks? Maybe someone is building a huge army of zombies for later use. That theory has been used for other infections before but this time it might be right. Only time will tell.

Many can't even decide what to categorize it as. Is it a virus, a worm, or a trojan horse. Well it doesn't have any method to re-create itself or to infect an executable file like a virus does. It is usually refered to as a worm but spreads itself by hitch-hiking on a probably harmless file like a Trojan Horse. So Trojan Horse it seems to be, but that is not what people know it by.

Then there is the uncertainty of who is behind it. Not only who wrote it, but who controls it now and who will control it when it decides to be malicious. Some experts think it was a group of Russian teens and others think it can be blamed on the spam kings like Leo Kuvayev.

Sometimes you'll see it in PDF spam, uTube videos, ecards, pump-n-dump schemes, love related spam, politically related spam, IMs, and blog posts.

• social engineering via email/blogs/IM
• drops backdoor
• hooks files for infection during boot
• uses backdoor for DoS
• fast-flux (multiple addrs to same site, changes IP addr every 30 minutes)
• DoS attack on sites that look for worm infections (scan noticed)
• no CC center, it uses P2P

• latest AV signatures
• PersonalFireWall
• run with a LUA (limited user account)

1. run a system scan with system restore turned off & updated sigs
2. remove the following entry from the registry
   hkey_local_machine\system\currentcontrolset\services\wincom32

• 230 dead as storm batters Europe
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Chinese missile shot down USA aircraft
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• Naked teens attack home director
• A killer at 11, he''s free at 21 and kill again!
• British Muslims Genocide
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• Naked teens attack home director
• A killer at 11, he''s free at 21 and kill again!
• British Muslims Genocide
• Radical Muslim drinking enemies' blood.
• Sadam Hussein alive!
• Russian missle shot down USA satellite
• Russian missle shot down USA aircraft
• Russian missle shot down Chinese aircraft
• Chinese missile shot down Russian satellite
• Chinese missile shot down Russian aircraft
• Chinese missile shot down USA aircraft
• Chinese missile shot down USA satellite
• Sadam Hussein safe and sound!
• The commander of a U.S. nuclear submarine launch the rocket by mistake.
• Hugo Chavez dead.
• Fidel Castro dead.
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
• Venezuelan leader: "Let''s the War Begin".
• [blank]
• We Are Different
• I Love You Soo Much
• I Still Love You
• You + Me
• Passionate Kiss
• Kisses, Hugs & Roses
• Love for Granted
• Most Beautiful Girl
• Puppy Love
• Search for One
• Magic of Flowers
• Dinner Coupon
• Re: Your text

Who ever controls it sure knows how to push peoples buttons so they will click the proper a button.

• snow worm
• Download.bai (McAfee)
• Peacomm (Symantec)
• Nuwar (Windows Live OneCare)
• Trojan-Downloader.Win32.Agent.bet
• Tibs worm
• Mal/HckPk-A,
• Worm.Win32.Zhelatin
• Small.DAM [F-Secure]
• CME-711 [Common Malware Enumeration]
• Troj/Dorf-Fam [Sophos]
• Downloader-BAI!M711 [McAfee]
• TROJ_SMALL.EDW [Trend]
• W32/Tibs [Norman]
• Troj/Dorf-J [Sophos]
• W32/Zhelatin.gen!eml [McAfee]
• Email-Worm.Win32.Zhelatin [Kaspersky]
• w32/Duel.dam

• Read More.exe
• Full Clip.exe
• Full Story.exe
• Video.exe
• Full Video.exe
• Flash Postcard.exe
• Greeting Card.exe
• Greeting Postcard.exe
• Postcard.exe
• full news.exe
• read news.exe
• MoreHere.exe
• ClickHere.exe
• ReadMore.exe
• FlashPostcard.exe
• FullNews.exe

1. drops device driver
2. install the device driver as a service (via registry entry)
3. reboots the computer without prompt
4. drops an encrypted list of initial peers

1. the device service injects a module into the services.exe process.
2. hides the device service and its file
3. communicates with P2P via encrypted UDP
4. registers compromised computer as a peer in the P2P network
5. learns what files to download and execute.
6. learns about additional peers
7. updates its own peer list file with the gathered information.
8. downloads and executes the following file
9. game0.exe, game1.exe, game2.exe, game3.exe
10. occationally attacks websites that analyze it
11. attack a site that visits the URL more than x times in Y minutes

• encrypted list of peers
• %SystemDir%\peers.ini
• %System%\wincom32.ini
• device driver
• %SystemDir%\wincom32.sys (41,728 bytes)
• %SystemDir%\windev-5004-7504.sys (139,008 bytes) detected as Downloader-BAI.sys.gen.a
• config file
• %SystemDir%\windev-peers.ini (12,542 bytes, size may vary)

• %SystemDir%\Game0.exe (backdoor)
• [random name]t.exe or [random name]t.exe.exe (91,920 bytes)
• pdp.exe.exe (40,720 bytes, name may vary)

• install services for "Wincom32.sys"
• Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
• Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\ displayname="wincom32"
• Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\ start="2"
• install services for "Windev-5004-7504.sys"
• Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
• Imagepath="\??\%SYSTEMDIR%\windev-5004-7504.sys"
• Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
• displayname="windev-5004-7504"
• Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
• start="2"

• UDP communication to connect with filesharing peers,
• IP addresses and ports changed every 30 minutes
• ports used: UDP port 4000, 7871, or 11271 (various)
• Overnet protocol used on its private P2P network

• "it is noted that it is ... unusual because most attacks these days tend to be smaller and targeted, as criminals seek to pilfer personal information for financial gain, rather than fame." - Hypponen
• Although it's less dangerous than a traditional worm, it ranks in the top five most prolific threats" Joe Stewart, senior security researcher for SecureWorks
• "Why does evil have to be so awesome?" - poster at Schneiders blog

January

• it was discovered on the 19th
• 8% of all infections on Window computers- (Institute for Ethics & Technologies)
• McAfee raise its risk assessment to Low-Profile due to its prevalence.
• Symantec Security Response raised this threat to category 3
• Fortinet ranked it as the fourth worst threat in February ... - ITWEEK

February

• 39% (1 in 256) of all emails were infected - Sophos
• it accounted for almost 4% of all infections in February - vnunet.com

March

• Storm Worm made up 50.3 per cent of all malware tracked by Sophos - ITWEEK March 2007

August

• started using Blogs with the option to post via email (Sunbelt)
• started getting around CAPTCHAs (Sunbelt)

September

• [its power is now] four million times a standard ADSL connection. - Info Week
• it is now strong enough to force entire countries off Inet (ITweek)
• on the 17th it infected the GOP web-site (The Register & ComputerWorld)
• on the 25th Microsoft's MSRT (mal. sw. removal tool) cut bot-net size by 20%
• started Denial of Service attacks on anti-spyware and anti-spam sites
• spamhaus.org
• 419eater
• Joe Stewarts personal website

• a b c Kevin Spiess, Neo Seeker, "Worm 'Storm' gathers strength", September 7th, 2007.
• British Computer Society, "Storm Worm's virulence may change tactics", August 2nd, 2007.
• George Dvorsky, Institure for Ethics and Emerging Technologies, "Storm Botnet storms the Net", September 24, 2007.
• Sharon Gaudin, Information Week, "Storm Worm Botnet Attacks Anti-Spam Firms", September 18, 2007.
• Liam Tung, ZDNet Australia, "Storm worm: More powerful than Blue Gene?", September 12, 2007.
• Jon Brodkin, Network World, "Financially motivated malware thrives", September 7, 2007.
• David Utter, Security Pro News, "Storm Botnet Driving PDF Spam", July 13, 2007.
• Sharon Gaudin, InformationWeek, "Storm Worm Botnet More Powerful Than Top Supercomputers", September 6, 2007.
• Sharon Gaudin, InformationWeek, "After Short Break, Storm Worm Fires Back Up With New Tricks", September 4, 2007.
• John Leydon, The Register, "Storm Worm linked to spam surge", September 14, 2007.
• Bruce Schneir, Wired News, "Gathering 'Storm' Superworm Poses Grave Threat to PC Nets", October 4, 2007.
• Sharon Gaudin, Information Week, "Hackers Breaking Up Botnets To Elude Detection", October 3, 2007.
• Virus Bulletin.com, "Storm DDoS hits anti-scam sites", September 10, 2007.
• Sharon Gaudin, Information Week, "NFL Kickoff Weekend Brings Another Storm Worm Attack", September 10, 2007.
• Ryan Paul, Ars Technica News, "Spammers launch denial of service attacks against antispam sites", September 12, 2007.
• Nick Farrell, The Inquirer, "Republicans infect voters with Storm Trojan", September 17th, 2007.
• Gregg Keizer, Computerworld, "Hacked GOP Site Infects Visitors with Malware", September 14th, 2007.
• Carl Weinschenk, IT Business Edge, "The Gathering Storm", September 20, 2007.
• Sûnnet Beskerming, The Register, "Guessing at compromised host numbers", September 25, 2007.
• Ryan Naraine, ZDNet, "Storm Worm botnet numbers, via Microsoft", September 24, 2007.
• Brian Krebs, Washington Post, "Just How Bad Is the Storm Worm?", October 1, 2007

# posted by SIG leader @ 10/07/2007