Worm Alert: Storm Worm Take 2? Massive attacks is this the same worm from 2001?
We first saw the Storm Worm back in 2001 and here is Symantecs description on it:
W32.Storm.Worm
Risk Level 1: Very Low
Discovered: June 6, 2001
Updated: February 13, 2007 11:46:08 AM
Also Known As: DoS.Storm.Worm
Type: Worm
SUMMARYW32.Storm.Worm is a worm that seeks out Microsoft Internet Information Services (IIS) systems that have not applied the proper security patches. Any such systems that it finds are then infected with the worm. The payload of this worm performs a denial-of-service attack on http:/ /www.microsoft.com
Threat Assessment
Wild* Wild Level: Low
* Number of Infections: 0 – 49
* Number of Sites: 0 – 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: EasyDamage
* Damage Level: Medium
Distribution
* Distribution Level: Medium
TECHNICAL DETAILS
When this worm is run, it sets up a server FTP thread and starts to scan 10,000,000 IP addresses in an attempt to find a vulnerable system at one of the targeted addresses. The vulnerable systems that it targets are Microsoft IIS installations (versions 4 and 5) that do not have the security patches installed to cover the “Web Server Folder Traversal” security vulnerability as described in http://www.microsoft.com/technet/security/bulletin/MS00-078.asp.
When the worm finds a vulnerable system, it copies itself to the targeted system and sets it up to automatically run the worm, effectively making that system a zombie that participates in the hacker’s e-war. To make sure that the worm is run during the next system startup, the worm adds the value
666 c:\winnt\system32\storm\start.bat
to the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServicesHKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunThis worm has two payloads:
* A denial-of-service attack is initiated against http:/ /www.microsoft.com.
* An email bombing session is started that sends email messages containing an obscene message to gates@microsoft.com.
But now according to security analysts:
We are basically in the midst of an incredibly large attack,” said Adam Swidler, a senior manager with security company Postini. “It’s the most sustained attack that we’ve seen. There’s been nine to 10 days straight days of attack at this level.”
And they are calling it the Storm Worm – is this the same worm?
Excerpts From Information Week:
The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. This helps pull the computers into the malware authors’ growing botnet, while also leaving them open for further infection at a later date.
“This is designed to add computers to the botnet,” said Swidler. “That’s first and foremost their goal.”
But the Storm worm authors aren’t contenting themselves with this one attack vector.
Just a few weeks ago, the Storm worm authors began trying to trick users with fraudulent e-mails warning unsuspecting users about virus or spyware infections. Users around the world were receiving spam messages claiming that viruses or spyware had been detected on the users’ systems. It was another attempt to lure users to malicious sites where their computers could be infected.
What do you guys think? Have you been seeing an increase in viruses flying around your mail servers? How about Ecards or Links to downloadable files? Hit us up in the comments. Or let us know if you need help!
July 25, 2007 - 8:28 pm
Yes that is exactly what it is Admin they used an old method with a new payload.
Spammers have decided to kill two birds with one spam: The stock-touting email messages regularly sent out by spam focused bot nets have started to include links to malicious code, according to a report published Wednesday by email security firm MessageLabs.
The criminal groups responsible for the spam appear to believe that recipients of the e-mail may click on a Web link, even if they don’t buy the stock touted by the e-mail message. In the past 10 days, MessageLabs has only detected about 3,500 of the messages, so the spammers may be testing to waters to see how often the scam works, said Mark Sunner, chief technology officer for the company. Storm Worm marries malware and spam
Click to Reply to This Comment.
July 25, 2007 - 8:29 pm
i forgot the link sorrys http://www.securityfocus.com/brief/489?ref=rss
Click to Reply to This Comment.
July 25, 2007 - 8:39 pm
WOW thats some good nfo
“These activities are now much more under the radar because they are sending the messages out in discrete chunks,” Sunner said. “If you spam out (the malicious link), you have a lot of control over the resultant bot net — you can control the size, (and) what time zone it is being sending to.”
The Storm Worm, which is actually a Trojan horse that does not spread on its own, embodies the latest tactics by spammers and bot masters to grow their networks. Rather than using worms and viruses to create bot nets that likely grow out of control, the Storm Worm — also known as Zhelatin and Peacomm — is sent out in spam to increase the size of a bot net at a controllable pace. The tactics also cause problems for traditional antivirus detection, since new signatures capable of detecting the latest variants of the Storm Worm may only be developed after the program has infected its victims and moved on to the next variant.
MessageLabs found that spam from previously unknown senders had increased 0.9 percent to 76.1 percent of all e-mail received by the company’s clients in April. If the company includes e-mail from senders known to send out spam, the fraction of worldwide e-mail that appears to be spam would rise to 83.6 percent.
Click to Reply to This Comment.
July 25, 2007 - 4:29 pm
i forgot the link sorrys http://www.securityfocus.com/brief/489?ref=rss “>http://www.securityfocus.com/brief/489?ref=rss
Click to Reply to This Comment.
July 25, 2007 - 4:29 pm
i forgot the link sorrys http://www.securityfocus.com/brief/489?ref=rss “>http://www.securityfocus.com/brief/489?ref=rss
Click to Reply to This Comment.