October 10, 2007Inside a Storm Worm Infection
I just read a fascinating study of the internal workings of a recent variant of the Storm worm. The paper was written by SRI International. The report is definitely for the geeky (I'm talking assembly language code), but everyday users can learn a thing or three from the findings.
You should know by now that the Storm worm tends to be hosted on hijacked web sites around the world. You have likely received an email message that has used a variety of social engineering tricks to get you to visit the site (recent ones described here, here, and here). The sites use further social engineering to get you to download and install a software program that promises something alluring...but, in truth, is deadly.
If nothing else, the descriptions of the inner workings demonstrate how much of your PC and its data you hand over to a foreign program running mostly silently in the background. Among the most immediately devastating actions that the worm takes is looking for and disabling programs you may have previously installed to save you. In fact, an inspection of the Labor Day variety of Storm infection reveals a list of—get this—489 different programs, including the Zone Alarm firewall, and McAfee antivirus software (these are ones I found as tasks running on the one Windows PC I have here) targeted by the worm. If your anti-whatever software hasn't been updated to detect the latest (and rapidly evolving) Storm executable, then your protection is essentially disabled before it ever has a chance to save you.
When you install an application program, especially one that requires administration-level permission, you open up your entire machine, its data, and network resources (including other computers on a local network) to that program. Therefore, it's not surprising that when you install the Storm executable, it can look through all your files for whatever it wants. A primary target is any text with strings of characters that look like email addresses. If you think it looks only in obvious places, like Outlook address books, think again. The Labor Day storm variant examines files with the following extensions: .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp, .dat, and .lst.
What does the worm do with those addresses? Why, it addresses more spam to them to lure others to download the malware. The spam is meted out in small batches—on average 100 messages every five minutes. That's so your ISP (on the outside chance that it even cares to notice) doesn't get wise to the fact that you have a spam-spewing machine running full time.
All the while, the program is communicating like mad with other infected machines in a massive peer-to-peer network (i.e., they don't report to a single command-and-control center, which could possibly be shut down). Each bot is exchanging IP addresses of other successfully-infected machines so that each can perform the latest dirty work of whoever is behind the whole scheme.
The types of activities that Storm performs (e.g., snarfing email addresses and disabling antivirus software) aren't new. Other infections have been doing this stuff for years. But this new report reveals the depths of sophistication involved in the programming of the executable—as well as the lengths to which it goes to prevent detection.
This isn't kiddie stuff. And if you believe that your anti-anti software will protect you 100% from clickety-clicking your way through unsolicited email and instant messages, you're sorely mistaken.Posted on October 10, 2007 at 05:30 PM