The Storm superworm
No this isn’t a security bulletin but if you’re thinking that your computer is safe from viruses and malware, think again.
What is Storm?
If you’ve been seeing floods of emails and IM messages that try to get you to click links that say, “Interesting Pics,” “Watch this video,” “Funny Pics here,” etc then you’ve seen how the Storm worm spreads. These hoax messages direct victims to a site and prompt them to install an “applet.” This applet is actually Storm Worm itself.
Although it’s most commonly called a worm, Storm is really more advanced than that; a worm, a Trojan horse and a bot all rolled into one. It’s also the most successful example of a new breed of worm, and there are estimates that between 1 million and 50 million computers have been infected worldwide.
Profit is the main driving force for the birth of powerful worms like Storm. Unlike normal malware, they spread more subtly, and you don’t realize the infection until it’s already too late.
Here’s a list of why Storm is so deadly:
- Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
- Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
- Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.
- Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way.This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect.One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won’t work with Storm: An infected host may only know about a small fraction of infected hosts — 25-30 at a time — and those hosts are an unknown number of hops away from the primary C2 servers.
And even if a C2 node is taken down, the system doesn’t suffer. Like a hydra with many heads, Storm’s C2 structure is distributed.
- Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called “fast flux.” So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.
- Storm’s payload — the code it uses to spread — morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
- Storm’s delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites — anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.
- The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: “A killer at 11, he’s free at 21 and …,” “football tracking program” on NFL opening weekend, and major storm and hurricane warnings. Storm’s programmers are very good at preying on human nature.
- Last month, Storm began attacking anti-spam sites focused on identifying it — spamhaus.org, 419eater and so on — and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy’s reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.
What’s so bad about Storm is that people, even experts in the field, have no idea how to deal with it. It’s been lurking around the internet gobbling up computers and the antivirus companies have done little to stop it’s growth. More so we have no idea as to who is behind the controls of the Storm bot. Speculations floating around state that they’re Russian. One thing that’s certain however is that these programmers are highly skilled, and continues development on Storm upgrading it’s ability to evade antivirus programs and how quickly it spreads.
How can I verify if my computer is infected?
The best that current Antivirus programs can do is to identify parts of it. If your antivirus program finds anything from this following list on your computer, you have been infected by Storm Worm and you must address the problem immediately:
- Agent
- Crypt.XPACK
- Dorf
- Downloader-BAI
- Dropper.gen6
- Fathom
- Fuclip
- Groan
- Killer.Ecard
- Nuwar
- Packed.13
- Packed.142
- Packed.145
- Peacoan
- Peacomm
- Peed
- Rootkit.47744
- Rootkit.dam
- Sintun
- Small
- Sploder
- Stormworm
- Tibs
- Trojan.Spambot
- TR/Patched
- Win32.Spamtool
- Zhelatin
What can I do if my computer is infected?
As of the moment, I can recall only two options for you if you do get infected:
- Remove the virus. There are three ways to do this:
- Some (and I stress on SOME) variations will be detected and removed by the latest Microsoft Windows Update. Run Windows Update and install the latest patches, or specifically, download and install the September Microsoft Windows Software Removal Tool at the Microsoft Download Center. More information can be found on Microsoft’s Knowledgebase Article 890830.
- Some antivirus software with updated virus definition files may be able to detect and remove parts of the Storm Worm viruses.
- Reformat your computer. This involves wiping all your data off of the hard drive and reinstalling your operating system. It is strongly recommended that you see professional help if you’re not comfortable tinkering with your PC.
Comment ( 1 )
Have Something To Say ?