Forecast - Massive Storms clouded by Rootkits
Friday, April 13th, 2007Update: July 9th 2007 - see Abnormal activity from your IP…yeah sure
Over the last 2 days there has been what seems to be a massive Virus outbreak caused by the Storm Worm. The Storm worm was first introduced to us January when large storms were battering Europe a worm was spammed out disguised as important news on the storm with subject lines like “230 dead as storm batters europe”.
The next time the Storm Worm was unleashed was around Valentines Day when emails pretending to be from a lover were spammed out to millions of people across the Internet. Then last weekend a new Storm surge was spammed out as news of World War 3 starting against Iran and love related subjects like “A kiss so gentle” or “I dream of you”.
The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.
The subject lines currently being used are:
Worm Detected!
Virus Detected!ected!
Virus Activity Detected!
ATTN!
Spyware Alert!
Spyware Detected!
Warning!
Trojan Alert!
Trojan Detected!
Worm Activity Detected!
Virus Alert!
The Body of the email may look similar to the following:
From: Customer Support
Dear Customer,
Our robot has detected an abnormal activity from your IP address on sending e-mails.
Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch because the worm can modify unpacked exe files. You should open the archive file, enter the password and run the patch immediately.
Password: {Random}
Customer Support Center Robot.
Attachment: Patch-{Random}.zip
Attachments:
It arrives with 2 attachments. One attachment is normally a gif, more about this later and the other attachment is a zip file with a password.
The format the zip files take is one of the following:
patch-[RANDOM 4 DIGITS].zip
removal-[5 RANDOM DIGITS].zip
hotfix-[5 RANDOM DIGITS].zip
bugfix-[5 RANDOM DIGITS].zip
The use of a password protected zip file is a new tactic used by the Storm Worm. Random numbers and letters are used for each attachment in the email that is sent out. The password for the attachment is given with the email. The file within the zip, when run, will install the Storm Worm on your PC and hide itself from Virus Scanners by using a Rootkit. The Rootkit component is wincom32.sys and from using anti rootkit software it can be seen to ensure its visibility by hooking the following:
Rootkit Elements:
SSDT
ZwEnumerateKey
C:\WINDOWS\system32\wincom32.sys
SSDT
ZwEnumerateValueKey
C:\WINDOWS\system32\wincom32.sys
SSDT
ZwQueryDirectoryFile
C:\WINDOWS\system32\wincom32.sys
IRP
\Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
\\??\C:\WINDOWS\system32\wincom32.sys
and it also hides registry entries pointing to the wincom32.sys.
Although Anti Virus Scanners will not “see” these files you can get a dedicated Anti-Rootkit program from our Anti-Rootkit Software Page.
Anubis have an extremely in-depth analysis of a sample submitted to them.
http://analysis.seclab.tuwien.ac.at/result.php?taskid=0ce16256cab3e414c180082fafc8d4b4&refresh=1&embedded=1
Tactics:
The reason this particular Storm Worm run has become so massive is that the authors have employed some new tactics and some old trustworthy tactics.The new tactics include using an image file which has the text of the message. This means that anti virus scanners can not scan an email for suspicious text. This tactic has been recently employed by spammers to bypass anti spam mechanisms.
The tactic of the password zip file is not new and has been used in the past by many worms including the infamous Bagle. What is new to the Storm Worm is the polymorphic features of the code. Each worm is going to be slightly different so as to better avoid detection by anti virus email scanners.
The tactic of informing people that they have malware on their PC is not new either but it is effective. This is especially effective because of the limited run a few days before. This run got the Storm Worm in the media and then the Thursday run with all its new mechanisms may have piggy backed on the fear people may have that they are infected.
Behind the Scenes:
So what and who is behind the Storm Worm. It is thought that the worm is originating from Eastern Europe and is spammed out so as to get as many victims to start the ball rolling initially. The worm the spreads from PC to PC via its own email program using addresses from the users email address book. Once on a users PC the worm joins the PC up to a massive Botnet comprised of thousands of unsuspecting users PC’s. The Botnet is then used to send out massive amount of what is called Pump and Dump Spam. This is where Stock is advertised at low prices and it expectant value is very high. When unsuspecting users buy this stock they will help the price of the stock to go up. When the price of the stock goes up the Stock is sold off by the originator of the Pump and Dump spam at emmense profits.
The Storm Worm runs on Windows 98, ME, NT, 2000, XP, and Windows Server 2003.
The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code. 
Keep Safe
regards
Steo
www.antirootkit.com
References:
The Eye of the Storm
Storm Worm blows up, breaks records
Consumer alert: Massive virus outbreak
Massive spam shot of ‘Storm Trojan’ reaches record proportions
rootkit