This is a follow-up to an article I wrote about the Storm Worm, in my blog a couple of days ago. That entry was meant to warn you about the new variations in the subjects and body text, designed to trick you into getting your computer infected. This article presents a brief history and analysis of the methods used to infect computers, as well as a description of the actual payload, of the so-called "Storm Worm" Trojan downloader.
History of the Storm Worm Trojan
Distributed through massive blasts of spam emails, the threat now known as the "Storm Worm" Trojan-Downloader was first noticed in the wild in November, 2006 and has gone through many external alterations since then, although the payload has remained basically the same. Various anti virus companies have labeled the variants with such names as: Win32/Nuwar, Trojan.Peacomm, Trojan-Downloader.Win32.Small.DAM, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Win32.Zhelatin, and of course: "Storm Worm."
The Trojan now called the "Storm Worm" got it's name after a huge spam run on Friday, January 19, 2007, which used the subject line "230 dead as storm batters Europe," to trick people into clicking on links to supposedly read news articles and emergency bulletins about the terrible storms that ravaged Europe during that week. By the following Monday the Storm Worm accounted for 8% of all spam, on a global basis. It received even more notoriety when it was used by infected zombie computers, all members of a BotNet using the eDonkey/Overnet P2P protocol, to launch DDoS attacks against several well known anti spam websites, from January through June, 2007. In fact, some of those attacks are still ongoing against Spamhaus and CastleCops.
How the Storm Worm is able to carry out such large scale attacks is directly related to it's success in getting a huge installed base of zombie computers, with different security sources giving varying numbers of infected machines ranging from 2 to 20 million. Either number is too many. There are enough members of the Storm Worm Botnets to bring down an entire country! This has been done entirely by using social engineering tricks to deceive people into clicking on links in spam emails, which lead the victim to other infected computers, where they become infected and join the largest peer-to-peer Botnet ever assembled in the history of Botnets. Each new member of this network receives copies of the Storm Worm Trojan Downloader, a copy of the Nginx web server, an email address collection program, a spam sending program (SMTP Server), a DDoS tool, and connection scripts related to the P2P node in which it has been enlisted. All of these machines are remote controlled by criminal masterminds, known as "BotMasters." The owners of this Botnet are suspected of residing in various parts of the Former Soviet Union and are the most prolific spammers in the World.
Method of Infection
As I said in the previous paragraph, the Storm Worm spreads by tricking people into clicking on links to a web page hosted on an already infected computer, where they are then infected and zombified into the Botnet. There, they await remote control orders to do the bidding of the BotMaster. So how are these computers infected with the Worm/Trojan itself?
When a person using any version of Windows arrives at the fraudulant web page being hosted on a Storm Worm infected computer there are two things that can occur, depending on whether or not the visitor's browser has JavaScript enabled (most do, by default).
- If JavaScript is disabled they will see a plain text message claiming that the website they want is undergoing some tests, or that an additional plug in or applet is needed to view the content they were enticed with, followed by a text link to click to manually get or see the needed file, or applet. Now, what should I do? It says to click here, but I don't know if I should or not... Oh well, I'll just try it real fast to see what it does and back out if it doesn't look right -> "Click" ... They just infected themselves with the Storm Worm! Idiots!
- If JavaScript is enabled a script will instantly redirect them to a foreign server which is acting as a Worm host for their Botnet node. Once there their browser will be subjected to at least three attempts to exploit different known vulnerabilities in unpatched Windows computers. Chances are very good that one of these attempts will be successful, unless the computer is very well protected and completely up to date with all available Windows Patches and Internet Explorer 7 with all patches installed. Older versions of Firefox may also be at risk (prior to 2.0.0.6), if JavaScript is enabled, because the script initiates a file download. If the victim arrives using an older, unsupported version of Windows (9x, M.E, 2000 before SP4, or XP with SP1), or is running an invalid pirated copy of Windows XP, they will NOT be up to date with critical patches and WILL probably be infected immediately (except for Limited User or Power User accounts).
Now that we know how Windows computers get infected, what are some of the current social tricks being used to fool people into (A) opening the message, (B) reading it and (C) Clicking on the obviously strange numeric link.
Subjects recently used in the Storm Worm e-mail messages include:
Postcard scams:
You've received a (postcard, ecard, greeting card) from a (Friend, Worshipper, Mate, Class-Mate, Family Member, etc).
Newest scam subjects as of mid-August, 2007:
Cat Lovers, Dated Confirmation, Internal Support, Internal Verification, Login Info, Login Information, Login Verification, Member Confirm, Member Details, Member Registration, Membership Details, Membership Support, New Member Confirmation, New User Confirmation, New User Details, New User Letter, New User Support, Poker World, Registration Confirmation, Registration Details, Secure Registration, Tech Department, Thank You For Joining, User Info, User Verification, Your Member Info, Welcome New Member
And the senders aliases have been:
Bartenders guide, Bartenders Guide, Coolpics, Dog lovers, Entertaining pics, Entertaining pros, Fun World, Free ringtones, Free web tools, Game Connect, Internet Dating, Job search pros, Joke-a-day, Mobile Fun, MP3 world, Net gambler, Net-jokes, Online hook-up, Poker world, Resume Hunters, Ringtone heaven, Web, Web cooking, Web connects, Webtunes, Wine Lovers
To learn more about the payload delivered when a PC is infected with the Storm Worm, read my extended comments...
The Payload
Once infected with the Storm Worm a rootkit will be installed that uses a hidden driver file named "Wincom32.sys" that will be injected into the Windows System file "Services.exe" and set to run at startup as a Windows "Service." The Trojan may then hide the presence of the "device" service and its associated file. A file named "peers.ini" will be deposited into the Windows or Winnt (Win2000) directory, while another named "Wincom32.ini" will appear in the %System% directory (C:\Windows\System or C:\Windows\System32 or C:\Winnt\System32). In order to ensure two way communications with the Bot Network peers several UDP ports will be opened, including creating Windows XP Firewall exceptions, if required. However, they will require user approval where a 3rd part firewall like ZoneAlarm is used.
It may also reboot the computer without prompt when the threat is first executed, to start the "service" running and get your computer registered and operating on the P2P BotNet to which it is assigned. After joining it's assigned Botnet node the newly enlisted PC will receive several payload files to use in various types of illegal activity. These include:
game0.exe - Backdoor/downloader
game1.exe - SMTP relay
game2.exe - Email address stealer
game3.exe - Email virus spreader
game4.exe - DDoS attack tool
game5.exe - Updated copy of Storm Worm dropper
From that point onward, unless you are able to remove the rootkit and it's component files, or have the threat removed professionally, your computer is not yours anymore. It now belongs to Comrades Boris Badenough and Natasha Darlinck, who are chuckling to themselves in Russian, singing "All your compooter are belong to us!"
Every now and then you may notice the hard drive whirring away and your modem activity lights going mad, but don't worry, it is just busy sending out about 1500 spam messages in 5 minute bursts. Nobody will notice. That is until somebody like me receives one of these scams and reports it to SpamCop, who in turn will trace the sending IP address and time it was sent, and send a spam report to your ISP, who in turn will lookup to whom that IP was assigned at that moment, and they will probably suspend your Internet connection until you get your computer disinfected and protected against future repeat performances.
back to top ^