Security threats Toolkit

'Storm Worm' slithers on

Tags:
Botnet

Tom Espiner ZDNet.co.uk

Published: 22 Jan 2007 14:06 GMT

Security vendors believe many home users to have been infected after a large-scale sustained Trojan attack that took place over the weekend.

The Trojan, named "Storm Worm" by antivirus vendor F-Secure, first started to spread on Friday as extreme storms engulfed Europe. The email claimed to include breaking news about the weather, in an attempt to get people to download an executable file.

Over the weekend there were six subsequent waves of the attack, with each email attempting to lure users into downloading an executable by promising a topical news story. There were emails which purported to carry news of an as-yet-unconfirmed missile test by the Chinese against one of its weather satellites, and emails reporting that Fidel Castro had died.

Each new wave of emails carried different versions of the Trojan, according to F-Secure. Each version also contained the capability to be updated, in an attempt to stay ahead of antivirus vendors.

"When they first came out, these files were pretty much undetectable by most antivirus programs," said Mikko Hypponen, director of antivirus research at F-Secure. "The bad guys are putting a lot of effort into it — they were putting out updates hour after hour."

As most businesses tend to strip executable files out of emails they receive, Hypponen said he expected that companies would not be overly affected by the attacks.

However, F-Secure said that hundreds of thousands of home-user computers could have been affected across the globe.

Once a user downloads the executable file, the code opens a backdoor in the machine which allows it to be remotely controlled, while installing a rootkit that hides the malicious program. The compromised machine becomes a zombie in a network called a botnet. Most botnets are currently controlled through a central server, which if found can be taken down to destroy the botnet. However, this particular Trojan seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralised control.

Each compromised machine connects to a list of a subset of the entire botnet — around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet — each only has a subset, making it difficult to gauge the true extent of the zombie network.

This is not the first botnet to use these techniques. However, Hypponen called this type of botnet "a worrying development".

Antivirus vendor Sophos called Storm Worm the "first big attack of 2007", with code being spammed out from hundreds of countries. Graham Cluley, senior technology consultant for Sophos, said the company expected more attacks over the coming days, and that the botnet would most likely be hired out for spamming, adware propagation, or be sold to extortionists to launch distributed denial-of-service attacks.

The recent trend has been towards highly targeted attacks on individual institutions. Mail services vendor MessageLabs said that this current malicious campaign was "very aggressive", and said that the gang responsible was probably a new entrant to the scene, hoping to make its mark.

None of the anti-malware companies interviewed said they knew who was responsible for the attacks, or where they had been launched from.