- For information on botnets consisting of machines infected with this worm, see the Hurricane botnet.
The Storm Worm (dubbed by Finnish company F-Secure) is a backdoor Trojan horse that affects the computer using Microsoft's operating system, found on January 17, 2007. The worm is also known as:
- Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)
- CME-711 (MITRE)
- W32/Nuwar @ MM and Downloader-BAI (specific variants) (McAfee)
- Troj/Dorf and Mal/Dorf (Sophos)
- Trojan.DL.Tibs.Gen! Pac13
- Trojan.Downloader-647
- Trojan.Peacomm (Symantec)
- TROJ_SMALL.EDW (Trend Micro)
- Win32/Nuwar (ESET)
- Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)
- W32/Zhelatin (F-Secure and Kaspersky)
- Trojan.Peed , Trojan.Tibs (BitDefender)
The Storm Worm began attacking thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007, using e-mail messages with a subject line about recent weather disasters, "230 dead as a storm that hit Europe". Over the weekend there are six waves of subsequent attacks. On January 22, 2007, Storm Worm accounted for 8% of all global malware infections.
There is evidence, according to PCWorld, that the Storm Worm is from Russia, possibly traceable to the Russian Business Network.
Video Storm Worm
Cara bertindak
Originally deployed in a message about the European windstorm Kyrill, the Storm Worm has been spotted also in emails with the following subjects:
- How to Get HARD
- Killer at age 11, he is free at 21 and kill again!
- US. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
- British Muslim Genocide
- Naked teens attack house director.
- 230 died as a storm hit Europe. (Where the worm gets its name)
- Re: Your text
- Muslim radicals drink enemy blood.
- Chinese/Russian missiles shot down Russian/Chinese/satellite/aircraft
- Saddam Hussein is safe and sound!
- Saddam Hussein lives!
- Venezuelan leader: "Let the beginning of war".
- Fidel Castro is dead.
- If I Know
- FBI vs. Facebook
When the attachment is opened, malware installs the wincom32 service, and injects the load, forwards the packet to the destination that is encoded in the malware itself. According to Symantec, it can also download and run trojan Trojan.Abwiz.F, and W32.Mixor.Q@mm worms. Trojan piggyback on spam with names like "postcard.exe" and "Flash Postcard.exe", with more changes than the original wave when the attack mutated. Some of the names that are known for attachments include:
- Postcard.exe
- ecard.exe
- FullVideo.exe
- Full Story.exe
- Video.exe
- Read More.exe
- FullClip.exe
- GreetingPostcard.exe
- MoreHere.exe
- FlashPostcard.exe
- GreetingCard.exe
- ClickHere.exe
- ReadMore.exe
- FlashPostcard.exe
- FullNews.exe
- NflStatTracker.exe
- ArcadeWorld.exe
- ArcadeWorldGame.exe
Then, as confirmed by F-Secure, the malware began to spread the subjects like "Love birds" and "Touched by Love". This email contains links to websites that host the following files, which are confirmed to contain the virus:
- with_love.exe
- withlove.exe
- love.exe
- frommetoyou.exe
- iheartyou.exe
- fck2008.exe
- fck2009.exe
According to Joe Stewart, director of malware research for SecureWorks, the Storm remains remarkably resilient, in part because the Trojan horse used to infect the system changes its packing code every 10 minutes, and, once installed, the bots use fast flux to change the IP addresses for commands and control servers.
Botnetting
The compromised machine is merged into a botnet. While most botnets are controlled through a central server, which if found to be lowered to destroy botnets, the Storm Worm plows a botnet that acts in a manner similar to a peer-to-peer network, without centralized control. Each compromised machine connects to a whole subset of botnets - about 30 to 35 other compromised machines, which act as hosts. While each infected host shares a list of other infected hosts, there is no machine that has a complete list of all botnets - each having only a subset, making it difficult to measure the true extent of the zombie network. On September 7, 2007, the estimated size of the Storm botnet ranges from 1 to 10 million computers. Researchers from the University of Mannheim and the Eurecom Institute estimate the online storm node simultaneously between 5,000 and 40,000.
Rootkit
Another action taken by Storm Worm is to install Win32.agent.dh rootkit. Symantec points out that a defective rootkit code cancels some of the Storm Worm authors' plans. The next variant, starting around July 2007, loads the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with the code stub that contains the rootkit driver module without requiring it to have an entry in the Windows driver list.
April Fools
On April 1, 2008, a new worm worm was released to the internet, with the April Fool's themed subject title.
Maps Storm Worm
Feedback
List of antivirus companies that can detect Storm Worm including Authentium, BitDefender, ClamAV, eSafe, Eset, F-Prot, F-Secure, Kaspersky, McAfee, Sophos, Symantec, Trend Micro, avast! and Windows Live OneCare. The Storm Worm is constantly updated by its makers to avoid antivirus detection, so this does not mean that all the vendors listed above can detect all Storm Worm variants. The intrusion detection system offers protection from rootkits, as it can warn that the Windows "services.exe" process is trying to access the Internet using port 4000 or 7871. Windows 2000, Windows XP and possibly Windows Vista can be infected by all Storm Worm variants, but Windows Server 2003 can not, because the malware authors specifically issue the Windows edition of the code. Additionally, the decryption layer for some variants requires the Windows API functionality that is only available in Windows XP Service Pack 2 and later, which effectively prevents infection in older versions of Windows.
Peter Gutmann sent an email stating that the Storm botnet consists of 1 to 10 million PCs depending on the estimates you believe. Although Dr. Gutmann made a comparison of hardware resources between the Storm botnet and distributed memory and distributed memory alongside high-performance computers in TOP500, the exact match performance was not his intention - but rather a more general appreciation of botnet size compared to other large computing resources.. Consider for example the size of a Storm botnet compared to a grid computing project like the World Community Grid.
An article in PCWorld dated October 21, 2007 said that a network security analyst presented findings at the Toorcon hacker conference in San Diego on October 20, 2007, saying that the Storm dropped to about 20,000 active hosts or about one-tenth of its previous size.. However, this is disputed by security researcher Bruce Schneier, who notes that the network is being partitioned to sell spare parts independently.
Note
External links
- Spamtracker SpamWiki: Storm
- NetworkWorld: Virus Storm Worm can change tactics
- Wired.com: Analysis by Bruce Schneier
- "There's a Storm Coming", from the IBM ISS X-Force Blog
- Trojan.Peacomm (Storm) on Symantec
- Stormy Weather: Quantitative Assessment of Threat Storm Web in 2007 (Trend Micro)
- In millions of Windows, Storm is perfect gathering, from The Observer.
- April Fool's Day, Storm Worm Attack Hits, from PC World.
- Storm and the future of social engineering from Help Net Security (HNS).
- Bodmer, Kilger, Carpenter & amp; Jones (2012). Reverse Deception: Organized Cyber ââThreats Contra-Exploitation. New York: McGraw-Hill Osborne Media. ISBNÃ, 0071772499, ISBNÃ, 978-0071772495
Source of the article : Wikipedia