If you haven’t heard already there’s an old worm in town with several new variants. This is not w32.storm.wrom, so don’t get all confused by the name. As per some recent articles, here is just how naughty this little worm is (my comments in RED):
The “Official” Definition:
1st The Wiki: The Storm Worm (dubbed so by Finnish company F-Secure, alias: Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13; other names, given by antivirus vendors: Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW or CME-711 (Trend Micro), Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)) is a backdoor Trojan horse, identified as Small.dam, discovered on January 17, 2007. The Storm Worm infected thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007 using a topical e-mail message with the subject “230 dead as storm batters Europe”. During the weekend there were six subsequent waves of the attack. As of Monday, January 22, the Storm Worm accounted for 8% of all infections globally.
When an attachment is opened(!not anymore! see the Information Week article below), the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.
Discovered: January 19, 2007
Updated: January 19, 2007 6:52:29 PM
Also Known As: Small.DAM [F-Secure], CME-711 [Common Malware Enumeration], Troj/Dorf-Fam [Sophos], Downloader-BAI!M711 [McAfee], TROJ_SMALL.EDW [Trend], W32/Tibs [Norman], Troj/Dorf-J [Sophos]
Infection Length: 29,347 bytes; 30,720 bytes; 32,387 bytes; 34,816 bytes (varies)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Trojan.Peacomm is a Trojan horse that
drops a driver program file to download another program(AGAIN !not anymore! see IW article below). It is reportedly attached to spammed email. It may also be dropped by W32.Mixor.Q@mm.
The Kinda Old News:
For 24 hours in mid-January, stock-fraud investigation site StockPatrol disappeared from the Internet, overwhelmed by a massive flood of Web requests coming from thousands of sources.
[…] Highlighting another trend, bot nets created with the program use peer-to-peer communication to make shutting down the illicit networks much more difficult. Typically, bot nets last no more than a day after their command-and-control server is identified. The peer-to-peer component of the Storm Worm enables its bot nets to reconstitute themselves after the central server is taken down. (SecurityFocus 2007-02-16)
The New..ish News:
Storm worm authors are blasting the Internet with two types of attacks ( mainly spam: e-Cards and Phoney Virus Alerts), and both are aimed at building up their botnet.
[…] The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. (TOLD YA. NOTE THE BIG CHANGE IN TACTICS. No malware in the e-mail, means no virus filtering problem.) This helps pull the computers into the malware authors’ growing botnet, while also leaving them open for further infection at a later date. (InformationWeek 2007-07-24)
The Latest: In all honesty, who knows? However…
An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections. (Darknet: TimeWarner DNS Hijacking IRC Servers to Stop DDoS Attacks)
Read that whole article from Darknet and you’ll get my drift. I see a connection between ISP’s trying to block “zombie/bot infections” and the last I heard on storm.worm varients.
Anyway, its obvious that whoever is running this game must be hell bent on something, but what?
I will keep everyone updated and post the source code for all the related malware to the “Storm Worm” as soon as I can find it. If you happen to find it before me, please post a link in the comments.