Storm Worm

Last updated
Examples of e-mails with "Storm Worm" in the attachment Cybercrime wikifoto.jpg
Examples of e-mails with "Storm Worm" in the attachment

The Storm Worm (dubbed so by the Finnish company F-Secure) is a phishing backdoor [1] [2] Trojan horse that affects computers using Microsoft operating systems, [3] [4] [5] discovered on January 17, 2007. [3] The worm is also known as:

Contents

The Storm Worm began attacking thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, "230 dead as storm batters Europe". [6] During the weekend there were six subsequent waves of the attack. [7] As of January 22, 2007, the Storm Worm accounted for 8% of all malware infections globally. [8]

There is evidence, according to PCWorld, that the Storm Worm was of Russian origin, possibly traceable to the Russian Business Network. [9]

History

Originally propagated in messages about Cyclone Kyrill, the Storm Worm has also been seen in emails with the following subjects: [10]

"During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped."

–Amado Hidalgo, a researcher with Symantec's security response group. [11]

When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm. [10] The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates. [11] Some of the known names for the attachments include: [10]

Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love". These emails contain links to websites hosting some of the following files, which are confirmed to contain the virus:

According to Joe Stewart, director of malware research for SecureWorks, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers. [12]

Botnetting

The compromised machine becomes merged into a botnet. While most botnets are controlled through a central server, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control. [7] Each compromised machine connects to a list of a subset of the entire botnet - around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet - each only has a subset, making it difficult to gauge the true extent of the zombie network. [7] On 7 September 2007, estimates of the size of the Storm botnet ranged from 1 to 10 million computers. [13] Researchers from the University of Mannheim and the Institut Eurecom have estimated concurrent online storm nodes to be between 5,000 and 40,000. [14]

Rootkit

Another action the Storm Worm takes is to install the rootkit Win32.agent.dh. [7] Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans. Later variants, starting around July 2007, loaded the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with a stub of code that loads the rootkit driver module without requiring it to have an entry in the Windows driver list. [15]

April Fools' Day

On April 1, 2008, a new Storm Worm was released onto the net, with April Fools' -themed subject titles.[ citation needed ]

Feedback

The list of antivirus companies that can detect the Storm Worm include Authentium, BitDefender, ClamAV, eSafe, Eset, F-Prot, F-Secure, Kaspersky, McAfee, Sophos, Symantec, Trend Micro, avast! and Windows Live OneCare. [16] The Storm Worm is constantly being updated by its authors to evade antivirus detection, so this does not imply that all the vendors listed above are able to detect all the Storm Worm variants. An intrusion detection system offers some protection from the rootkit, as it may warn that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871. [11] Windows 2000, Windows XP and presumably Windows Vista can be infected by all the Storm Worm variants, but Windows Server 2003 cannot, as the malware's author specifically excluded that edition of Windows from the code. [11] Additionally, the decryption layer for some variants requires Windows API functions that are only available in Windows XP Service Pack 2 and later, effectively preventing infection on older versions of Windows.

Peter Gutmann sent an email [17] noting that the Storm botnet comprises between 1 and 10 million PCs depending on whose estimates you believe. Although Dr. Gutmann makes a hardware resource comparison between the Storm botnet and distributed memory and distributed shared memory high performance computers at TOP500, exact performance matches were not his intention—rather a more general appreciation of the botnet's size compared to other massive computing resources. Consider for example the size of the Storm botnet compared to grid computing projects such as the World Community Grid.

An article in PCWorld [18] dated October 21, 2007 says that a network security analyst presented findings at the Toorcon hacker conference in San Diego on October 20, 2007, saying that Storm is down to about 20,000 active hosts or about one-tenth of its former size. However, this is being disputed by security researcher Bruce Schneier, [19] who notes that the network is being partitioned in order to sell the parts off independently.

Notes

  1. Шуб, Александр. "Штормовой червь" атакует Интернет (in Russian). Retrieved 2007-01-20.
  2. Prince, Brian (January 26, 2007). "'Storm Worm' Continues to Spread Around Globe". FOXNews.com. Retrieved 2007-01-27.
  3. 1 2 3 "F-Secure Trojan Information Pages: Small.DAM" . Retrieved 2007-01-25.
  4. According to Symantec, which detected it as Trojan.Packed.8. LiveUpdate definitions also identified it as Trojan.Peacomm
  5. ""Storm worm" sloshes through the internet". 2007-01-19. Retrieved 2007-01-20.
  6. "Storm chaos prompts virus surge". BBC News. 19 January 2007. Retrieved 2007-01-19.
  7. 1 2 3 4 Espiner, Tom (22 January 2007). "'Storm Worm' slithers on". ZDNet. Retrieved 2007-01-22.
  8. Keizer, Gregg (January 22, 2007). "'Storm' Spam Surges, Infections Climb". InformationWeek. Retrieved 2007-01-22.
  9. "The Internet's Public Enemy Number One". PCWorld. Archived from the original on 2009-03-16.
  10. 1 2 3 Suenaga, Masaki (January 22, 2007). "Trojan.Peacomm". Archived from the original on 29 June 2019. Retrieved 2007-01-22.
  11. 1 2 3 4 Keizer, Gregg (January 23, 2007). "'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable". InformationWeek. Retrieved 2021-10-06.
  12. Robert Vamosi (August 7, 2008). "Storm Worm". CNET.com.
  13. Peter Gutmann (31 August 2007). "World's most powerful supercomputer goes online". Full Disclosure . Retrieved 2007-08-31.
  14. Kelly Jackson Higgins (23 April 2008). "Researchers Infiltrate and 'Pollute' Storm Botnet". Darkreading.com. Retrieved 2008-04-24.
  15. SophosLabs (28 July 2007). "Patching system files: Part II". Sophos . Retrieved 2010-12-05.
  16. Blog entry by Johannes Ulrich, chief technical officer of the SANS Institute's Internet Storm Center
  17. "Peter Gutmann Email".
  18. "Storm Worm Now Just a Squall".
  19. "Schneier on Security: The Storm Worm".

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

Backdoor.Win32.IRCBot is a backdoor computer worm that is spread through MSN Messenger and Windows Live Messenger. Once installed on a PC, the worm copies itself into a Windows system folder, creates a new file displayed as "Windows Genuine Advantage Validation Notification" and becomes part of the computer's automatic startup. In addition, it attempts to send itself to all MSN contacts by offering an attachment named 'photos.zip'. Executing this file will install the worm onto the local PC. The Win32.IRCBot worm provides a backdoor server and allows a remote intruder to gain access and control over the computer via an Internet Relay Chat channel. This allows for confidential information to be transmitted to a hacker.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm Worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Mebroot is a master boot record based rootkit used by botnets including Torpig. It is a sophisticated Trojan horse that uses stealth techniques to hide itself from the user. The Trojan opens a back door on the victim's computer which allows the attacker complete control over the computer.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

<span class="mw-page-title-main">Gruel (computer worm)</span> 2003 computer worm

Gruel, also referred to by F-Secure as Fakerr, was a worm first surfacing in 2003 targeting Microsoft Windows platforms such as Windows 9x, Windows ME, Windows 2000 and Windows XP. It spread via email and file sharing networks.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

Brambul is an SMB protocol computer worm that decrypts and automatically moves from one computer to its second computer.