Storm Worm

Originally propagated in messages about Cyclone Kyrill, the Storm Worm has also been seen in emails with the following subjects:{{cite web |title=Trojan.Peacomm |url= http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99|first=Masaki |last=Suenaga |date=January 22, 2007|accessdate= 2007-01-22|url-status=dead|archive-url=https://web.archive.org/web/20190629011042/https://www.symantec.com/security-center/writeup/2007-011917-1403-99|archive-date=29 June 2019}}

{{quote box

| quote = "During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped."

| source = –Amado Hidalgo, a researcher with Symantec's security response group.{{cite news |title= 'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable |url= https://www.informationweek.com/software/-storm-trojan-hits-1-6-million-pcs-vista-may-be-vulnerable|publisher=InformationWeek |first=Gregg |last=Keizer |date= January 23, 2007|accessdate= 2021-10-06}}

| width = 40%

}}

• 230 dead as storm batters Europe. [The worm was dubbed "Storm" because of this message subject.]
• A killer at 11, he's free at 21 and kill again!
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• British Muslims Genocide
• Naked teens attack home director.
• Re: Your text
• Radical Muslim drinking enemies' blood.
• Chinese/Russian missile shot down Russian/Chinese satellite/aircraft
• Saddam Hussein safe and sound!
• Saddam Hussein alive!
• Venezuelan leader: "Let's the War beginning".
• Fidel Castro dead.
• If I Knew
• FBI vs. Facebook
• USA occupies Iran

When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm. The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates. Some of the known names for the attachments include:

• Postcard.exe
• ecard.exe
• FullVideo.exe
• Full Story.exe
• Video.exe
• Read More.exe
• FullClip.exe
• GreetingPostcard.exe
• MoreHere.exe
• FlashPostcard.exe
• GreetingCard.exe
• ClickHere.exe
• ReadMore.exe
• FlashPostcard.exe
• FullNews.exe
• NflStatTracker.exe
• ArcadeWorld.exe
• ArcadeWorldGame.exe

Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love". These emails contain links to websites hosting some of the following files, which are confirmed to contain the virus:

• with_love.exe
• withlove.exe
• love.exe
• frommetoyou.exe
• iheartyou.exe
• fck2008.exe
• fck2009.exe

According to Joe Stewart, director of malware research for SecureWorks, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.{{cite web |title=Storm Worm |url= http://news.cnet.com/8301-1009_3-10009953-83.html |author=Robert Vamosi |publisher=CNET.com |date=August 7, 2008|author-link= Robert Vamosi }}

{{main article|Storm botnet}}

The compromised machine becomes merged into a botnet. While most botnets are controlled through a central server, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control. Each compromised machine connects to a list of a subset of the entire botnet - around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet - each only has a subset, making it difficult to gauge the true extent of the zombie network. On 7 September 2007, estimates of the size of the Storm botnet ranged from 1 to 10 million computers.{{cite web |title=World's most powerful supercomputer goes online |url=http://seclists.org/fulldisclosure/2007/Aug/0520.html |date=31 August 2007 |accessdate=2007-08-31 |publisher=Full Disclosure |author=Peter Gutmann }} Researchers from the University of Mannheim and the Institut Eurecom have estimated concurrent online storm nodes to be between 5,000 and 40,000.{{cite web |title=Researchers Infiltrate and 'Pollute' Storm Botnet

|url=http://www.darkreading.com/document.asp?doc_id=151862&f_src=drdaily |date=23 April 2008 |accessdate=2008-04-24 |publisher=Darkreading.com |author=Kelly Jackson Higgins }}

Another action the Storm Worm takes is to install the rootkit Win32.agent.dh. Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans. Later variants, starting around July 2007, loaded the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with a stub of code that loads the rootkit driver module without requiring it to have an entry in the Windows driver list.{{cite web |title=Patching system files: Part II |url=http://nakedsecurity.sophos.com/2007/07/28/patching-system-files-part-ii/ |date=28 July 2007 |accessdate=2010-12-05 |publisher=Sophos |author=SophosLabs }}

On April 1, 2008, a new Storm Worm was released onto the net, with April Fools' -themed subject titles.{{citation needed|date=March 2013}}

The list of antivirus companies that can detect the Storm Worm include Authentium, BitDefender, ClamAV, eSafe, Eset, F-Prot, F-Secure, Kaspersky, McAfee, Sophos, Symantec, Trend Micro, avast! and Windows Live OneCare.Blog entry by Johannes Ulrich, chief technical officer of the SANS Institute's Internet Storm Center The Storm Worm is constantly being updated by its authors to evade antivirus detection, so this does not imply that all the vendors listed above are able to detect all the Storm Worm variants. An intrusion detection system offers some protection from the rootkit, as it may warn that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871. Windows 2000, Windows XP and presumably Windows Vista can be infected by all the Storm Worm variants, but Windows Server 2003 cannot, as the malware's author specifically excluded that edition of Windows from the code. Additionally, the decryption layer for some variants requires Windows API functions that are only available in Windows XP Service Pack 2 and later, effectively preventing infection on older versions of Windows.

Peter Gutmann sent an email{{cite news |title=Peter Gutmann Email |url= http://seclists.org/fulldisclosure/2007/Aug/0520.html}} noting that the Storm botnet comprises between 1 and 10 million PCs depending on whose estimates you believe. Although Dr. Gutmann makes a hardware resource comparison between the Storm botnet and distributed memory and distributed shared memory high performance computers at TOP500, exact performance matches were not his intention—rather a more general appreciation of the botnet's size compared to other massive computing resources. Consider for example the size of the Storm botnet compared to grid computing projects such as the World Community Grid.

An article in PCWorld{{ cite news | title=Storm Worm Now Just a Squall | url= http://www.pcworld.com/article/id,138721-c,virusesworms/article.html }} dated October 21, 2007 says that a network security analyst presented findings at the Toorcon hacker conference in San Diego on October 20, 2007, saying that Storm is down to about 20,000 active hosts or about one-tenth of its former size. However, this is being disputed by security researcher Bruce Schneier,{{ cite news | title=Schneier on Security: The Storm Worm | url=http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html}} who notes that the network is being partitioned in order to sell the parts off independently.

{{reflist|30em}}

• [http://spamtrackers.eu/wiki/index.php?title=Storm Spamtrackers SpamWiki: Storm]
• [https://web.archive.org/web/20071012115210/http://www.networkworld.com/news/2007/080207-black-hat-storm-worms-virulence.html NetworkWorld: Storm Worm's virulence may change tactics]
• [https://www.wired.com/politics/security/commentary/securitymatters/2007/10/securitymatters_1004 Wired.com: Analysis by] Bruce Schneier
• [http://blogs.iss.net/archive/StormWorm.html "There's a Storm Coming"], from the IBM ISS X-Force Blog
• [https://web.archive.org/web/20070202044135/http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99&tabid=1 Trojan.Peacomm (Storm) at Symantec]
• [http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/arrott-etal-vb2008.pdf Stormy Weather: A Quantitative Assessment of the Storm Web Threat in 2007 (Trend Micro)]
• [http://observer.guardian.co.uk/business/story/0,,2195730,00.html In millions of Windows, the perfect Storm is gathering], from The Observer.
• [http://www.pcworld.com/article/id,144012-c,worms/article.html April Fool's Day Storm Worm Attack Hits], from PC World.
• [http://www.net-security.org/aboutus.php Storm and the future of social engineering] from Help Net Security (HNS).
• Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. {{ISBN|0071772499}}, {{ISBN|978-0071772495}}

Category:Email worms

Category:2007 in computing

Category:Hacking in the 2000s