Storm Worm
From Wikipedia, the free encyclopedia
The Storm Worm (dubbed so by Finnish company F-Secure, alias: Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13[1]; other names, given by antivirus vendors: Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW or CME-711 (Trend Micro), Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)) is a backdoor[2][3] Trojan horse, identified as Small.dam,[1][4][5] discovered on January 17, 2007.[1] The Storm Worm infected thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007 using a topical e-mail message with the subject "230 dead as storm batters Europe".[6][7] During the weekend there were six subsequent waves of the attack.[8] As of Monday, January 22, the Storm Worm accounted for 8% of all infections globally.[9]
Contents |
[edit] Ways of action
“ | During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped. Amado Hidalgo, a researcher with Symantec's security response group. [10] | ” |
Originally propagated on the heels of a European windstorm Kyrill, the Storm Worm has been seen in the wild also with the following subjects[11]:
- A killer at 11, he's free at 21 and kill again!
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
- British Muslims Genocide
- Naked teens attack home director.
- 230 dead as storm batters Europe.
- Re: Your text
- Radical Muslim drinking enemies's blood.
- Chinese missile shot down Russian satellite
- Chinese missile shot down Russian aircraft
- Chinese missile shot down USA aircraft
- Chinese missile shot down USA satellite
- Russian missile shot down USA aircraft
- Russian missile shot down USA satellite
- Russian missile shot down Chinese aircraft
- Russian missile shot down Chinese satellite
- Saddam Hussein safe and sound!
- Saddam Hussein alive!
- Venezuelan leader: "Let's the War beginning".
- Fidel Castro dead.
- If I Knew
When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.[11] The Trojan piggybacks on the spam with names ranging from "postcard.exe" to "Flash Postcard.exe," more changes from the original wave as the attack mutates.[10] Some of the known names for the attachments include:[11]:
- Postcard.exe
- FullVideo.exe
- Full Story.exe
- Video.exe
- Read More.exe
- FullClip.exe
- GreetingPostcard.exe
- MoreHere.exe
- FlashPostcard.exe
- GreetingCard.exe
- ClickHere.exe
- ReadMore.exe
- FlashPostcard.exe
- FullNews.exe
Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love".
[edit] Botnetting
The compromised machine becomes merged into botnet. While most botnets are controlled through a central server, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralised control.[8] Each compromised machine connects to a list of a subset of the entire botnet — around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet — each only has a subset, making it difficult to gauge the true extent of the zombie network.[8]
[edit] Rootkit
Another action the Storm Worm takes is to install the rootkit Win32.agent.dh.[12][8] Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans.
[edit] Feedback
“ | The rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again. Amado Hidalgo.[10] | ” |
As of Friday morning, the list of antivirus companies that had detected the Storm Worm included Authentium, BitDefender, clamAV, eSafe, FProt, F-Secure, Kaspersky, Norman, Sophos and Virusbuster.[13] A personal firewall offers some protection from the rootkit, as it will warn that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871.[10] Another feedback is to configure e-mail gateways to strip out all executable attachments. However Windows 2000, Windows XP and presumably Windows Vista are vulnerable to all the Storm Worm variations, but Windows Server 2003 is not as the malware's author specifically excluded that edition of Windows from the code.[10]
[edit] See also
- Computer worm
- Rustock
- Sober.o
[edit] Notes
- ^ a b c F-Secure Trojan Information Pages: Small.DAM. Retrieved on 2007-01-25.
- ^ (Russian) Шуб, Александр. ""Штормовой червь" атакует Интернет". Retrieved on 2007-01-20.
- ^ Prince, Brian. "'Storm Worm' Continues to Spread Around Globe", FOXNews.com, Friday, January 26, 2007. Retrieved on 2007-01-27.
- ^ According to Symantec, which detected it as Trojan.Packed.8. LiveUpdate definitions also identified it as Trojan.Peacomm
- ^ ""Storm worm" sloshes through the internet", 19.01.2007 19:46. Retrieved on 2007-01-20.
- ^ "Storm Worm virus hits computers", Fri Jan 19, 2007 2:31 PM GMT. Retrieved on 2007-01-19.
- ^ "Storm chaos prompts virus surge", Friday, 19 January 2007, 11:31 GMT. Retrieved on 2007-01-19.
- ^ a b c d Espiner, Tom. "'Storm Worm' slithers on", ZDNet, 22 Jan 2007 14:06 GMT. Retrieved on 2007-01-22.
- ^ Keizer, Gregg. "'Storm' Spam Surges, Infections Climb", InformationWeek, January 22, 2007 02:58 PM. Retrieved on 2007-01-22.
- ^ a b c d e Keizer, Gregg. "'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable", InformationWeek, January 23, 2007 03:43 PM. Retrieved on 2007-01-24.
- ^ a b c Suenaga, Masaki (January 22, 2007 04:04:42 PM GMT). Trojan.Peacomm. Retrieved on 2007-01-22.
- ^ G DATA
- ^ Blog entry by Johannes Ulrich, chief technical officer of the SANS Institute's Internet Storm Center