STORM WORM: LARGEST ATTACK IN TWO YEARS, BUT WHY?

26 07 2007

If you haven’t heard already there’s an old worm in town with several new variants.  This is not w32.storm.wrom, so don’t get all confused by the name.  As per some recent articles, here is just how naughty this little worm is (my comments in RED):

The “Official” Definition:

1st The Wiki:  The Storm Worm (dubbed so by Finnish company F-Secure, alias: Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13[1]; other names, given by antivirus vendors: Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW or CME-711 (Trend Micro), Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)) is a backdoor[2][3] Trojan horse, identified as Small.dam,[1][4][5] discovered on January 17, 2007.[1] The Storm Worm infected thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007 using a topical e-mail message with the subject “230 dead as storm batters Europe”.[6][7] During the weekend there were six subsequent waves of the attack.[8] As of Monday, January 22, the Storm Worm accounted for 8% of all infections globally.[9]

[…]When an attachment is opened (!not anymore! see the Information Week article below), the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.[11]

2nd Symantec

Discovered: January 19, 2007

Updated: January 19, 2007 6:52:29 PM

Also Known As: Small.DAM [F-Secure], CME-711 [Common Malware Enumeration], Troj/Dorf-Fam [Sophos], Downloader-BAI!M711 [McAfee], TROJ_SMALL.EDW [Trend], W32/Tibs [Norman], Troj/Dorf-J [Sophos]

Type: Trojan

Infection Length: 29,347 bytes; 30,720 bytes; 32,387 bytes; 34,816 bytes (varies)

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Trojan.Peacomm is a Trojan horse that drops a driver program file to download another program (AGAIN !not anymore! see IW article below). It is reportedly attached to spammed email. It may also be dropped by W32.Mixor.Q@mm.

The Kinda Old News:

For 24 hours in mid-January, stock-fraud investigation site StockPatrol disappeared from the Internet, overwhelmed by a massive flood of Web requests coming from thousands of sources.

[…] Highlighting another trend, bot nets created with the program use peer-to-peer communication to make shutting down the illicit networks much more difficult. Typically, bot nets last no more than a day after their command-and-control server is identified. The peer-to-peer component of the Storm Worm enables its bot nets to reconstitute themselves after the central server is taken down.   (SecurityFocus 2007-02-16)

The New..ish News:

Storm worm authors are blasting the Internet with two types of attacks ( mainly spam: e-Cards and Phoney Virus Alerts), and both are aimed at building up their botnet.

[…] The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. (TOLD YA. NOTE THE BIG CHANGE IN TACTICS. No malware in the e-mail, means no virus filtering problem.)  This helps pull the computers into the malware authors’ growing botnet, while also leaving them open for further infection at a later date.  (InformationWeek 2007-07-24)

The Latest: In all honesty, who knows?  However…

 An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections. (Darknet: TimeWarner DNS Hijacking IRC Servers to Stop DDoS Attacks)

Read that whole article from Darknet and you’ll get my drift.  I see a connection between ISP’s trying to block “zombie/bot infections” and the last I heard on storm.worm varients.

Anyway, its obvious that whoever is running this game must be hell bent on something, but what?

I will keep everyone updated and post the source code for all the related malware to the “Storm Worm” as soon as I can find it.  If you happen to find it before me, please post a link in the comments.

Peace


Actions

Information

69 responses

28 07 2007
neo_morpheus_m

I Just came accross this site, http://www.freebieSMS.co.uk , and it seems to offer free SMS messages, for the UK at least, has anyone ever used them?

29 07 2007
Michel

http://www.thecoolnews.org

Is the best site for all the tips and tricks u ever dreamt off. 😉

8 10 2007
Storm Worm Update: I Hate To Say I Told You So… « TheMostBoringBlogInTheWorld

[…] To Say I Told You So… 8 10 2007 Anyone remember this article I wrote back in July:  STORM WORM: LARGEST ATTACK IN TWO YEARS, BUT WHY? Well, it looks like I was correct in being concerned that the Storm Worm and its resulting botnets […]

22 10 2007
The Observer On: Storm Worm « TheMostBoringBlogInTheWorld

[…] STORM WORM: LARGEST ATTACK IN TWO YEARS, BUT WHY? […]

19 12 2007
tboy1337

lol azag dya realise that there is a good chance that the authors learnt sum virus making off your site

1 01 2008
Azag

tboy1337 – Sadly, Yes I’m sure at least a few authors gathered intel off my site and at the very least might have learned some new tricks if they did their homework or whatever. ;-P It seems pretty feasible in theory so I’m going to guess chances are good it did happen on at least a few occasions. Then again, some have also thanked me for finding info to help them learn a programming language for college/university classes, so many positive things also happen as well. Funnier fact is it went full circle now some of these storm worm infected machines are trying to probe my site although very unsuccessfully. I am not respondsible for the actions [whether bad or good] of my visitors.
I have no way of telling what viruses or authors may have been spawned by visitors but I really don’t want to know. 😉 I haven’t seen any authors mention it but I think that is for the best. I don’t want know troubles lol. I tell people never to spread such creations whether their own or the inventions of others. Don’t mess up the internet for others kids. Remember it’s made up of a delicate series of tubes. 😉 heheh

I also wish people would use stop thinking I’m a backdoored server trying to run C99shell(s) off my site. They are there to download I’m not running PHP based server you silly bastards. Some people got to be a little slow if they think I would put up code, apps or exploits that I’m vulnerable too on my site. Come on people think a bit before you leap from f*cks sake. Take note of the section title if you read english (or can translate it) and most would assume it is fairly obvious I am not some hijacked server or one left with a backdoor hanging wide open as it were. 😛

– Azag

2 02 2008
24 03 2008
Rayford Palmer

enforcible illumine hysteralgia pseudoliberal unequilibrated staggy tautomeric undern
Amish men plead guilty to dealing drugs
http://cnn.com/2003/WORLD/europe/11/05/germany.shootdown.ap/

8 06 2011
lipladycarol
10 06 2011
lipladycarol
13 06 2011
defilimitusmary

This is good frequently exchange for tea. How you think?

16 06 2011
KatoSmeanna

PaniSex is your ultimate source for free sex personals, adult dating, amateurs & swingers.
Being the world’s largest adult sex and swingers site, you can find new hookups with the hottest singles and wildest couples.
Whether you’re looking for sex chat, nude webcams, swinger action, group sex or free adult personals, you’ll get it on PaniSex.
Turn your wildest fantasies into reality. Join PaniSex today and make love tonight.

18 06 2011
Inwariaaninge

один из самых интересных порталов в интернете

21 06 2011
7 07 2011
objeskarrarry

Hello World

21 07 2011
Cedesosquemof

segseg

9 08 2011
20 08 2011
22 08 2011
SeagisaDien

.

25 08 2011
26 08 2011
Thincialalf

Just making my earliest notify at themostboringblogintheworld.wordpress.com, which seems to be a wonderful forum!

27 08 2011
aspebybep
4 09 2011
10 09 2011
stadore1984

а

18 09 2011
Poofown

а

19 09 2011
AugustoCes

AugustoCes

20 09 2011
25 09 2011
26 09 2011
27 09 2011
SoptoneeRed

28 09 2011
Fuscups

а

2 10 2011
Camouf

Создание сайтов в Твери, Конаково. Разработка дизайна, полиграфии, стиля, визиток, рекламы, логотипа.

5 10 2011
gpckmooesk

OKOKOKO

11 10 2011
Adegresse

cheap suprax without a prescription in usa

6 02 2012
Redecleaday

graham huntley

9 02 2012
moomiaSmooppy

test

9 02 2012
17 02 2012
19 02 2012
Fumbensum

get it

7 03 2012
prexolley

ололо

14 03 2012
15 03 2012
odobbybix

Ya prishol

27 03 2012
WKRobert
1 04 2012
AlexisOC
7 04 2012
NourryBoum

sneakers isabel marant The brand name identify or logo should be engraved on the hardware, not embossed or just printed.As a result these facilities have averted the use of any other electronic gadgets which you require to carry it alongside with you everyday.

7 04 2012
NourryBoum

isabelle marant Make the proper choice, you can realize its full prospective.Childrens beach sandals are light so that children can put on them easily, but strong enough to shield tiny ft from any sharp objects that might be hiding in the sand.

11 04 2012
18 04 2012
GZJoseph

April

21 04 2012
bearDise

Your dog makes a speciality of aiding clients recover performance as well as live through the health health conditions through the multidisciplinary tactic Blyth FM, Walk LM, Brnabic AJM, Counterparts MJ

23 04 2012
woolfbaws

Doctors through distinct areas of expertise from all of over the World are already taken advantage of our own training Among the list of difficulty with serious pain supervision would be that the brain habituates to pain-killing drugs, necessitating better and also bigger amounts

1 05 2012
psyhosyy

цена золота цб эмиссия привилегированных акций
замирает, затем откатывается к 1209, где срабатывает стоп. Рынок Clearing House: Расчетная палата. Подразделение фьючерсной биржи,
Терминах десятичных логарифмовнапример если счет в 100 000 вырос до 285 610 за четыре. Или трех акциях сразу же начинают покупать другие бумаги и рынок поднимается.

4 05 2012
Vfhtrtoke

I think Louis Vuitton Belt is our love.

7 05 2012
arttemplerh

Arttemp

13 05 2012
UgoValentine

g

22 05 2012
Anarfargy

test

26 05 2012
Meagslabs

newscrawl

6 06 2012
slendertonexis

aaaaaaaaaaaa

9 06 2012
erybearoMen

hi

12 06 2012
BNPhillip
13 06 2012
BOOBEHONFUB

hi

13 06 2012
13 06 2012
tolinasded

фывфыввыв

15 06 2012
Ronaldinho

Hi, Neat post. There is a problem together with your web site in web explorer, could check this… IE still is the market leader and a huge component to other folks will miss your fantastic writing because of this problem.

17 06 2012
KeMErurFetede

test

12 06 2015
torque Screwdriver newton Meters

torque Screwdriver newton Meters

STORM WORM: LARGEST ATTACK IN TWO YEARS, BUT WHY? | TheMostBoringBlogInTheWorld

12 06 2015
Demetra

Very good article! We will be linking to this great post on our site.

Keep up the good writing.

13 06 2015
Eusebia

I’m not sure why but this web site is loading extremely slow
for me. Is anyone else having this problem or is it
a problem on my end? I’ll check back later and see if the problem
still exists.

13 06 2015
cdi 401sm torque screwdriver

Great site you’ve got here.. It’s hard to find high-quality writing like yours
nowadays. I seriously appreciate individuals like you!
Take care!!

18 08 2015
agar cheat

com website being hacked and vital information for over a million individuals being stolen. This is
due to the fact that connecting through a free
proxy server or free proxy providing website may get you being hacked
by various stuffs. If you are interested in finding a nearby gas station hit Alt and 2, a restaurant Alt and 3, Alt and 5 provides you
with a keyword box so you can custom search.

Leave a reply to Azag Cancel reply