Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Storm re-emerges in a new form

This time with added rootkit.

By Gregg Keizer, Computerworld US | Published: 06:17, 31 December 2007

The Storm Trojan attack that began last week has re-emerged in a new guise according to security researchers. The malicious file's name has changed and is being hosted by new servers, with an added rootkit to cloak the bot code from anti-virus software.

Spam messages attempting to dupe users into installing the bot-making Trojan now include links happycards2008.com or newyearcards2008.com, different URLs from the second-wave attack that began Christmas Day. According to analysts at the SANS Institute's Internet Storm Center (ISC) and U.K.-based Prevx, the name of the file users are asked to download has also changed from Tuesday's "happy2008.exe." The file being shilled today is tagged to "happynewyear.exe."

More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx and an independent security researcher named Russ McRee have posted analyses of Storm's cloaking attempt.

[Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?)," said said McRee on his own HolisticInfoSec site. "No more hanging out in the open, easily seen."

Fortunately, said Giuliani, the rootkit is relatively old, and thus detectable by at least some security software. Neither is the move by Storm's makers to hide its components and operations from anti-virus programs a new thing: the Trojan began using rootkits months ago.

Giuliani also wondered why the domains hosting the Trojan had not been taken down. "If the attack is currently known and security companies are updating their software, why are these fake domains still active?" he asked in a post to the Prevx company blog. "If servers behind [these] sites are constantly changing so that it would be impossible to shut them down, these servers are reached by four well-known domains. Why, after four days, hasn't anyone successfully taken these domains down?"

Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based anti-virus software. Prevx, said Giuliani, has already detected more than 400 variants of the version now in circulation.

According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.