Anti Rootkit Blog

Some of you may have received an email today saying that “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel” or that “230 dead as storm batters Europe”. If you did and clicked on the attachment then you have been infected by the Storm-Worm and your PC is now more than likely part of a Botnet.

Large amounts of the worm were spammed out early this morning to Europe and then to North America.

Some of the subjects of the spammed emails were crafted to coincide with current events in the news. The subjects included:

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
230 dead as storm batters Europe.
British Muslims Genocide
Naked teens attack home director.
A killer at 11, he’s free at 21 and kill again!

The emails arrived with no text, only an attachment which seems to look like a video of the event discribed in the Subject.

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

When the attachment is run it drops a file called wincom32.sys which is a kernel mode rootkit.

It installs itself as a service with the name “wincom32″ by creating the following registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\
Root\LEGACY_WINCOM32] 

This kernel mode driver acts as an advanced payload injector with sophisticated methods such as seen with Rustock.

The worm then tries to contact various IP addresses and tells the Botnet leaders that it is infected. It is then placed on a list of infected machines so that spyware and other malware can be installed at a later date when the Botnet owner wants. The machines that are unsuitable for the Botnet are also placed in a list so as not to visit them again.

The type of Botnet being setup here is called a “Peer to Peer” Botnet. It is different to the normal “Command and Control” Botnet. It shows us that malware authors are taking a new direction when it comes to their Botnets. It is harder to shut down a Peer to Peer than a Command and Control Botnet.

References:
Trojan.Peacomm: Building a Peer-to-Peer Botnet
http://www.f-secure.com/v-descs/small_dam.shtml
YouTube Video showing the speed and extent of the spread of the Storm-Worm

Keep Safe
regards
Steo
www.antirootkit.com

This entry was posted on Friday, January 19th, 2007 at 11:33 pm and is filed under News, New Rootkits, Other Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.