Storm variant strikes again
On Sunday, April 8th, 2007, a storm was brewing. That evening, hundreds of thousands of users would receive frightening emails warning them of an impending nuclear war with the middle east. Attached to this email was the latest variant of the "storm" worm, which we first saw earlier in the year. It's named "storm" or "stormy" because the original subject lines that it used were aimed at exploiting peoples interest in the violent storms that were ravaging Europe at the time. As when the original worm was launched, i-Trap was fully equipped to detect infected machines on monitored networks before anti-virus companies had even identified the worm, and without any modification to our existing software or hardware. With i-Trap you can count on notification in the event of a network enabled worm, trojan, or virus.

The current variant of the worm is exploiting the fear of a nuclear war. Subject lines it used include:

  • Iran Just Have Started World War III

  • Israel Just Have Started World War III

  • Missle Strike: The USA kills more then 1000 Iranian citizens

  • Missle Strike: The USA kills more then 10000 Iranian citizens

  • Missle Strike: The USA kills more then 20000 Iranian citizens

  • USA Declares War on Iran

  • USA Just Have Started World War III

  • USA Missle Strike: Iran War just have started

The email is sent from a Yahoo email address, with a user name picked out a list of female names that is hard coded into the worm.

When the user opens the the file it immediately installs a rootkit onto the machine, disables the Windows firewall, and attempts to terminate any running processes it believes may be anti-virus or anti-malware related.

With no intentions of stopping there, it then tries to establish UDP connections to a list of encoded IP addresses which is also dropped onto the system when the file is executed. With no Windows firewall to stop these outbound connections, eventually the infected machine becomes part of a peer-to-peer style botnet, which is significantly harder to disrupt or take down than your more traditional centralized botnet. It also allows the operators of the botnet a greater chance of maintaining anonymity.

While all that is going on, the storm worm still manages to scan every file that it can find on the hard drive of the infected machine for email addresses so that it can continue to spam itself out. Interestingly, it will avoid sending any email to address that end in .gov, .mil, or Microsoft.

After all of this has been accomplished, the worm will mostly stay dormant, and await commands that will be sent to it through the botnet. In the past, the worm has been used to instruct the infected computers to launch DDoS (Distributed Denial of Service) attacks against several websites and IP addresses, including those being used by a rival spamming/botnet group as well as sending out spam emails for penny stock "pump and dump" schemes.

The best way to avoid infection is simple. Never open emails with attachments from people you do not know, and be very cautious with attachments received from people you do know.

Storm variant strikes again
On Sunday, April 8th, 2007, a storm was brewing.