Furby
10-28-2007, 02:01 PM
For those not in the know, the storm worm is a back door Trojan horse (whose origins are traced to around January 2007) that has been generating a lot of media attention lately.
What is it?
a Trojan that arrives on the system as attachment file to spam emails. Small.DAM loads a malicious service named "wincom32" in the affected machine.
Taken from here (http://www.f-secure.com/v-descs/small_dam.shtml).
How does it spread?
As mentioned above, mostly through emails as attachment. It requires users to actively execute the file. The first emails had the subject line "230 dead as storm batters Europe", hence the name. Subsequent variants include "Radical Muslim drinking enemies's blood.", "Saddam Hussein safe and sound!".
The authors have found some very innovative ways to lure and entice users, for example, advertising the attachment as a "football tracking program" during NFL opening week.
What does it do?
An infected computer is turned into a zombie (no, its not going to start hungering for brains). Most of the time, the worm is inactive, it may wake up periodically and spam your friends with more copies of itself or it may just stand by and wait for commands from its controllers. Because it is so silent, most users will not detect its presence, thus ensuring that it has a higher chance of spreading.
How many computers have been infected?
The infected computers form a sort of botnet, that are linked to each other by the worm. Some estimates think the botnet could be as large as 50 million computers, more conservative ones place it at around 1 million.
The botnet is reportedly more powerful than top supercomputers (http://www.informationweek.com/news/201804528). (This is probably not a good comparison as supercomputers function differently from grid computing depending on how well the computation task can be parallelized). It is said that that botnet is powerful enough to take entire countries off the net.
What has the botnet done so far?
Nothing much as of yet. The controllers seem to be waiting for it to gather strength and the launch phase II (whatever that is).
A researcher has reported the possibility that the owners are trying to slice the botnet into portions and sell the compromised computers to spammers and denial-of-service attackers. This is his conclusion after findings that encryption was added to secure the command-and-control traffic between the bot herder and some bots.
What is so scary about the Storm worm?
The Storm worm spreads like the typical worm, what is unique about it is that it actively defends itself against anti-spam companies trying to research infected networks. It does this by coordinating portions of the botnet, and then launching a massive Distributed Denial-of-Service attack on said companies.
Recently, the storm worm has also added another weapon to its arsenal. From Storm Worm Botnet Lobotomizing Anti-Virus Programs (http://www.propeller.com/viewstory/2007/10/24/storm-worm-botnet-lobotomizing-anti-virus-programs/?url=http%3A%2F%2Fwww.eweek.com%2Farticle2%2F0%2C1759%2C2205606%2C00.asp&frame=true):
Instead of killing anti-virus products on target systems, it's now doing a hot fix with a memory patch to render resident AV products brain-dead.
Basically, you have a worm that not only hides itself from installed AV programs but also retaliates against researchers trying to contain it. Unlike other viruses/worm which disables the resident AV software - thus giving some indication to the user that something is not right - the worm lets the program continue running but renders it useless.
What is the good news?
At least one researcher thinks that the botnet has been steadily shrinking after antivirus vendors began stepping up their tracking of Storm variants and got a lot better at identifying and cleaning up infected computers.
He estimates that after Microsoft added Storm detection into its Malicious Software Removal tool, the botnet shrunk by another 20% overnight.
The current size of Storm is about 20,000 infected PCs available at any one time, out of a total network of about 160,000 computers.
What happens when the Storm botnet reaches a size of 150 million computers?
Researchers think that this is the point of critical mass where the Storm botnet (aka StormNet) will become self-aware. Scientists differ in opinion on whether its first actions would be to
1. Hack into and take over the nuclear launch facilities of the US and Russia and then launch a pre-emptive strike against human civilization,
or
2. Create an army of killer robots to subjugate the human race and turn them into brain-in-vats for the purpose of supplying biofuel to itself.
Okay, I admit it, I made that last bit up. :P
What is it?
a Trojan that arrives on the system as attachment file to spam emails. Small.DAM loads a malicious service named "wincom32" in the affected machine.
Taken from here (http://www.f-secure.com/v-descs/small_dam.shtml).
How does it spread?
As mentioned above, mostly through emails as attachment. It requires users to actively execute the file. The first emails had the subject line "230 dead as storm batters Europe", hence the name. Subsequent variants include "Radical Muslim drinking enemies's blood.", "Saddam Hussein safe and sound!".
The authors have found some very innovative ways to lure and entice users, for example, advertising the attachment as a "football tracking program" during NFL opening week.
What does it do?
An infected computer is turned into a zombie (no, its not going to start hungering for brains). Most of the time, the worm is inactive, it may wake up periodically and spam your friends with more copies of itself or it may just stand by and wait for commands from its controllers. Because it is so silent, most users will not detect its presence, thus ensuring that it has a higher chance of spreading.
How many computers have been infected?
The infected computers form a sort of botnet, that are linked to each other by the worm. Some estimates think the botnet could be as large as 50 million computers, more conservative ones place it at around 1 million.
The botnet is reportedly more powerful than top supercomputers (http://www.informationweek.com/news/201804528). (This is probably not a good comparison as supercomputers function differently from grid computing depending on how well the computation task can be parallelized). It is said that that botnet is powerful enough to take entire countries off the net.
What has the botnet done so far?
Nothing much as of yet. The controllers seem to be waiting for it to gather strength and the launch phase II (whatever that is).
A researcher has reported the possibility that the owners are trying to slice the botnet into portions and sell the compromised computers to spammers and denial-of-service attackers. This is his conclusion after findings that encryption was added to secure the command-and-control traffic between the bot herder and some bots.
What is so scary about the Storm worm?
The Storm worm spreads like the typical worm, what is unique about it is that it actively defends itself against anti-spam companies trying to research infected networks. It does this by coordinating portions of the botnet, and then launching a massive Distributed Denial-of-Service attack on said companies.
Recently, the storm worm has also added another weapon to its arsenal. From Storm Worm Botnet Lobotomizing Anti-Virus Programs (http://www.propeller.com/viewstory/2007/10/24/storm-worm-botnet-lobotomizing-anti-virus-programs/?url=http%3A%2F%2Fwww.eweek.com%2Farticle2%2F0%2C1759%2C2205606%2C00.asp&frame=true):
Instead of killing anti-virus products on target systems, it's now doing a hot fix with a memory patch to render resident AV products brain-dead.
Basically, you have a worm that not only hides itself from installed AV programs but also retaliates against researchers trying to contain it. Unlike other viruses/worm which disables the resident AV software - thus giving some indication to the user that something is not right - the worm lets the program continue running but renders it useless.
What is the good news?
At least one researcher thinks that the botnet has been steadily shrinking after antivirus vendors began stepping up their tracking of Storm variants and got a lot better at identifying and cleaning up infected computers.
He estimates that after Microsoft added Storm detection into its Malicious Software Removal tool, the botnet shrunk by another 20% overnight.
The current size of Storm is about 20,000 infected PCs available at any one time, out of a total network of about 160,000 computers.
What happens when the Storm botnet reaches a size of 150 million computers?
Researchers think that this is the point of critical mass where the Storm botnet (aka StormNet) will become self-aware. Scientists differ in opinion on whether its first actions would be to
1. Hack into and take over the nuclear launch facilities of the US and Russia and then launch a pre-emptive strike against human civilization,
or
2. Create an army of killer robots to subjugate the human race and turn them into brain-in-vats for the purpose of supplying biofuel to itself.
Okay, I admit it, I made that last bit up. :P