Storm Worm Update: I Hate To Say I Told You So…

8 10 2007

Anyone remember this article I wrote back in July:  STORM WORM: LARGEST ATTACK IN TWO YEARS, BUT WHY?
Well, it looks like I was correct in being concerned that the Storm Worm and its resulting botnets could become even more of a problem even though the code was so old.  Now this nasty little trojan has a bran new bag:

Storm Worm Descends on Blogspot
It seems like spammers, scammers, phishers and now malware authors are starting to leverage blogs more and more, especially Blogger/Blogspot as Google tend to be quite slow in responding and sometimes don’t respond at all.

This makes it an ideal platform for dodgy behaviour as the crooks have adequate lead time to con/infect people before they get shut down.

In this case Blogspot was used as the platform to propagate malcious messages by the Storm worm, people clicking these messages were liable to infection.

Source – Darknet – The Darkside

Notice what I underlined there.  Darknet sees a growing threat from Splogs.  I see that threat mixed with Storm Worm, and I say, “I knew Storm Worm would only become a larger problem”.  I still don’t know why though, beyond the basic malicious crap people do.

There are probably millions of undetectable variants of the Storm Worm trojan.  I am sure that the growing power of the extremely slippery botnets, that Storm Worm is used to create, will eventually do something very big and very naughty.  I don’t know how or why or what will happen, but if unchecked, something really BIG is going to come crashing down on some rather large target, maybe even a government.

I know it seems like I keep saying “THE SKY IS FALLING”, but I’m not.  I am only saying that there is the potential for “the sky to fall” if security companies and professionals don’t create a fool proof definition to stop all the Storm Worm variants and the botnets it creates.

Just in case you were wondering; No, I do not have the knowledge to create this “fool proof definition”, nor do I know how much work or how possible it could be.

Keep your eye’s open, and don’t click on random crap.

Luciano Pavarotti Dies At Age 71

6 09 2007

The world morns for a great voice that has been eternally silenced.

Hundreds of people gathered Thursday night in Modenas main piazza to pay final respects to Luciano Pavarotti, whose vibrant high Cs and ebullient showmanship made him the most beloved and celebrated tenor since Caruso.Pavarotti had been diagnosed with pancreatic cancer last year and underwent further treatment in August 2007.

Source Yahoo News

If you don’t happen to understand the pain of such a loss to supporters of the Arts, then I suggest you find a copy of Pavarotti’s rendition of Nessun Dorma.

Rest in peace Luciano.  You will be remembered, and you will be remembered well.

KOS “We Are Going To Hit Iran. Bigtime.” GONE!?!?

3 09 2007

We Are Going To Hit Iran. Bigtime.  An article on Daily KOS that has caused quite a buzz on the intarweb is gone?

Anyone know what happened????

Oh well, you can still track the story with HERE :

Anyhew, I was just poking around and I can’t find out where or why the article is just gone…

W32.Deletemusic – Erases Your MP3’s No Matter Where You Store Them

3 08 2007

Another great article from ARS Technica entitled, “Average PC is a smorgasboard for a new MP3-eating trojan” points out that all your MP3’s may be in danger.

Source – ARSTechnica

[…] an avid MP3 collector in the butt if a new worm makes its way into their computers. A newly-uncovered worm called W32.Deletemusic does exactly what its name implies—it goes through a PC and deletes all MP3 files in sight. And that’s it. Simultaneously low-threat and highly annoying, the worm makes its way from computer to computer by spreading itself onto all attached drives of a given PC, including flash drives and removable media.

Obviously the W32 prefix leaves us Linux and Mac users in the clear, but the Windows folks out there should keep their guard up.  Make sure you have your anti-vir apps up to date with the latest definitions and, as always, watch what you download and which emails you open.

Keep it secret.  Keep it safe!


26 07 2007

If you haven’t heard already there’s an old worm in town with several new variants.  This is not w32.storm.wrom, so don’t get all confused by the name.  As per some recent articles, here is just how naughty this little worm is (my comments in RED):

The “Official” Definition:

1st The Wiki:  The Storm Worm (dubbed so by Finnish company F-Secure, alias: Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13[1]; other names, given by antivirus vendors: Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW or CME-711 (Trend Micro), Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)) is a backdoor[2][3] Trojan horse, identified as Small.dam,[1][4][5] discovered on January 17, 2007.[1] The Storm Worm infected thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007 using a topical e-mail message with the subject “230 dead as storm batters Europe”.[6][7] During the weekend there were six subsequent waves of the attack.[8] As of Monday, January 22, the Storm Worm accounted for 8% of all infections globally.[9]

[…]When an attachment is opened (!not anymore! see the Information Week article below), the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.[11]

2nd Symantec

Discovered: January 19, 2007

Updated: January 19, 2007 6:52:29 PM

Also Known As: Small.DAM [F-Secure], CME-711 [Common Malware Enumeration], Troj/Dorf-Fam [Sophos], Downloader-BAI!M711 [McAfee], TROJ_SMALL.EDW [Trend], W32/Tibs [Norman], Troj/Dorf-J [Sophos]

Type: Trojan

Infection Length: 29,347 bytes; 30,720 bytes; 32,387 bytes; 34,816 bytes (varies)

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Trojan.Peacomm is a Trojan horse that drops a driver program file to download another program (AGAIN !not anymore! see IW article below). It is reportedly attached to spammed email. It may also be dropped by W32.Mixor.Q@mm.

The Kinda Old News:

For 24 hours in mid-January, stock-fraud investigation site StockPatrol disappeared from the Internet, overwhelmed by a massive flood of Web requests coming from thousands of sources.

[…] Highlighting another trend, bot nets created with the program use peer-to-peer communication to make shutting down the illicit networks much more difficult. Typically, bot nets last no more than a day after their command-and-control server is identified. The peer-to-peer component of the Storm Worm enables its bot nets to reconstitute themselves after the central server is taken down.   (SecurityFocus 2007-02-16)

The New..ish News:

Storm worm authors are blasting the Internet with two types of attacks ( mainly spam: e-Cards and Phoney Virus Alerts), and both are aimed at building up their botnet.

[…] The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. (TOLD YA. NOTE THE BIG CHANGE IN TACTICS. No malware in the e-mail, means no virus filtering problem.)  This helps pull the computers into the malware authors’ growing botnet, while also leaving them open for further infection at a later date.  (InformationWeek 2007-07-24)

The Latest: In all honesty, who knows?  However…

 An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections. (Darknet: TimeWarner DNS Hijacking IRC Servers to Stop DDoS Attacks)

Read that whole article from Darknet and you’ll get my drift.  I see a connection between ISP’s trying to block “zombie/bot infections” and the last I heard on storm.worm varients.

Anyway, its obvious that whoever is running this game must be hell bent on something, but what?

I will keep everyone updated and post the source code for all the related malware to the “Storm Worm” as soon as I can find it.  If you happen to find it before me, please post a link in the comments.