Storm Botnet
Original issue date: January 23, 2007
Updated: July 05, 2007
It has been observed that a trojan horse named Storm Worm is spreading widely through spam. The trojan comes as an attachment in e-mail with empty body and varying subject lines related to some specific events as mentioned below.
The e-mail tricks user to open attachments by mentioning sensational real as well as fake news as subject. The first variant of the trojan is detected after the European Storm event using “230 dead as storm batters Europe ” as a subject line in spammed e-mails.
It tries to establish peer-to-peer communication on UDP ports 4000 or 7871 with other infected machines to download and execute additional malware on the infected system and formulate a botnet. It may be noted that the ports and IP addresses of corresponding malicious systems may change with new variants.
Storm worm is continued to prevail with the emerging new variants. The recent variants of storm worm are reported to spread via injecting itself into various blogs, web based message forums and web-based mail services like Hotmail, Gmail, and Yahoo Mail. When a user post any message to a blog or a forum using infected system the trojan variant tries to inject itself by adding texts 'Have you seen this link?' to the message with a malicious link which when clicked by a unaware user turns the machine into a zombie and part of botnet. The infected machines could be further used to take part in any malicious activities like DDoS attacks, Spam activities etc.
Aliases : TROJ_SMALL.EDW [Trend Micro], Trojan.Peacomm [Symantec], Troj/DwnLdr-FYD, Troj/Small-DOR, W32/Stormy.AB, Trojan-Downloader.Win32.Agent.bet, Downloader-BAI!M711, Downloader-BAI, Trojan-Downloader.Win32.Small.dam, Small.DAM ( F-Secure )
The spammed e-mail has the following details:
Subject : (any of the following)
- 230 dead as storm batters Europe .
- A killer at 11, he's free at 21 and kill again!
- British Muslims Genocide
- Chinese missile shot down Russian satellite
- President of Russia Putin dead.
- Radical Muslim drinking enemies'; blood.
- Russian missle shot down Chinese aircraft
- Russian missle shot down USA satellite
- Sadam Hussein safe and sound
- Fidel Castro dead
- Hugo Chavez dead.
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Attachment: (any of the following)
- Full Story.exe
- Full Video.exe
- Read More.exe
- Video.exe
- Full Clip.exe
When the trojan executed it :
- drops the file peers.ini,wincom32.sys,wincom32.ini in the Windows system folder
The file wincom32.sys has rootkit capabilities to hide its
detection
peers.ini is a encrypted P2P configuration file.
- register itself as a service by adding the following registry entry to ensure its execution at every startup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32
- tries to open UDP port 4000 to establish communication with other peers and exchange necessary information like updating infected IP listing so that to build up a P2P network with additional malware download capabilities.
- tries to connect to various malicious URL to download malicious files.
Updated : 05 July 2007
It has further been observed that new wave of storm variants are circulating in the wild. The recent variants of storm worm are spreading via email with malicious links in the body content. The new worm variants are using subject lines mentioned below for propagation.
The subject lines of the worm are following:
You've received a postcard from a family member!
You've received a greeting postcard from a neighbor!
You've received a greeting postcard from a school mate!
You've received a greeting card from a worshipper!
Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th
Happy Birthday America
Independence Day Celebration
Celebrate Your Nation
Americas B-Day
America's 231 Birthday
July 4th Fireworks Show
America the Beautiful
Independence Day Party
America the beautiful
4th Of July Celebration
God Bless America
The email body contains malicious links which when clicked by the user the malware (Storm Worm variant) gets downloaded on the system. The infected system is used to send the spam messages and download other malware on the system.
In view of rapid propagation of the troajn variants, users are advised to implement following countermeasures :
- Install and maintain a updated anti-virus software at gateway and desktop level.
- Filter emails with abovementioned subject lines and attachments at the gateway.
- Keep up-to-date on patches and fixes on the operating system and application software.
- Monitor traffic for surge on unusual ports.
- Exercise caution while opening email attachments.
Common Malware Enumeration CME ID: CME-711
References
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
TROJ%5FSMALL%2EEDW&VSect=T
http://www.symantec.com/enterprise/security_response/weblog/
2007/01/trojanpeacomm_building_a_peert.html http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2007-011917-1403-99&tabid=1
http://www.f-secure.com/v-descs/small_dam.shtml
http://www.f-secure.com/weblog/archives/archive-
012007.html#00001088
http://www.f-secure.com/weblog/archives/
archive-012007.html#00001089
http://www.f-secure.com/weblog/archives/
archive-012007.html#00001087
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=
61992913-39000005c
http://www.networkworld.com/news/2007/022707-storm-virus-
blogs.html?nltxsec=0226securityalert3&code=nlsecuritynewsal64135
http://www.computerworld.com/action/article.do?command=
viewArticleBasic&articleId=9011903&source=NLT_PM&nlid=8
http://www.isc.sans.org/diary.html?storyid=3063
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
