back to article Storm Worm of a thousand faces

Authors of a particularly nasty piece of malware known as Storm Worm have yet again shifted their tactics. They are creating a flood of email hoaxes that try to install a bogus "applet" so victims can redeem membership benefits to clubs related to music, online dating and other interests. The new emails bear subject headings …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Fire vs. Fire

    Time for someone clever to capture the Storm applet, disassemble it, and modify it a bit - so that it commits a DDoS on the botnet heerder.

    Then re-release it into the wild.

    Yes, that's illegal. So let the NSA do it, they don't seem to have any problem with breaking laws.

  2. John Watts

    I'm no expert but

    Perhaps it will implode itself.

    Since there's no point in infecting an already infected machine I'd imagine it checks for itself. I'd guess it might do that by scanning potential hosts for itself to make sure it's not already there, which might eventual result in it DoS itself to death.

    With any luck it will disappear up its own arse.

    This wisdom comes with the aid of a bottle of cheap wine so I excuse myself for any implicit stupidity.

    Like I say, I'm no expert; but the most virulent of real (biological) viruses tend to wipe themselves out, so we can but hope.

  3. Misha Gale

    Re: I'm no expert but

    Sorry John, the vino has let you down. Storm doesn't spread directly host-to-host but by old fashioned email. So all it is likely to DoS are mailservers. Granted, if it drags down all the mailservers on the net it will stop spreading, but this won't be much comfort.

    Seriously though, researchers have been saying for years that AV companies need to move away from signatures. I can recall reading in this very organ an article advocating a whitelist approach rather than blacklisting known virii some years ago. Now we have polymorphic malware in the wild, and if the technique becomes widespread and sophisticated then conventional AV will be basically useless.

  4. Ian McNee

    Doh!

    Same old story - have all the fancy security software you like but if you fail to engage your brain before you click...oops...pWn3d!

  5. Alan Donaly

    This needs to stop

    I get sick of law enforcement doing nothing about this sort

    of thing and spending all it's resources busting chip moders

    and other "violent criminals" I call bullshit on them if they say

    they can't find out who is responsible and burn them alive

    like they deserve.

  6. Anonymous Coward
    Anonymous Coward

    Easy to stop it

    Go into your spamassassin config, find the rule called "NORMAL_HTTP_TO_IP", change it's score from 0.7 (default) to 5000.

    restart spamassassin.

    done. I have done this on all the mail servers I take care of and none of my clients have any idea what all the fuss in the press is about.

    easy

  7. amanfromMars Silver badge

    Binary AstraMetaPhysics

    And when malware slips into something more comfortable and morphs into palware will it be embraced as Viable Open Source Servering to Community rather than Ego? Will its ID grow into AI Super Ego? Power with ever more Self Control.... to Plan a Stellar Path of Immaculate Choice?

  8. Andrew Steer

    Easy indeed

    Just block all shortish emails bearing all-numeric http references.

    In procmail:

    # Catch-all for spam with numeric URLs - 18 Aug 2007

    :0B:

    * <8000

    * http://[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?

    spamnumerichttp

  9. Stephen Meredith

    Shooting Fish

    Looking for ways of blocking or removing the worm is like shooting fish.. better to ensure that the network is protected from DDoS using something like www.webscreen-technology.com to filter out the attack traffic and pulling the rug from under the spammers!

  10. Anonymous Coward
    Anonymous Coward

    Good call

    Obviously not for everybody, but that is a cracking idea Andrew, thanks.

  11. Anonymous Coward
    Anonymous Coward

    @ amanfromMars

    Anyone know who this complete twat is?

  12. Sabahattin Gucukoglu

    More Roadblocking Ideas

    You can stop these mails just as you would stop any other mails originating from nonconformant mailers. OTOH, greylisting seems to be losing its effectiveness (well, duh, of course it is). I use an absence of MX record to stop them coming to my primary account, but they still get through forwarders.

    Here are a couple of other ideas ...

    1. Fuzzy checksum the emails. Sure the binaries are morphing all the time, but surely all these emails have similar form? Haven't checked yet, but I'd be willing to bet Vipul's Razor can detect all major variants of these by now. Perhaps the AV industry should focus more on the vector and less on the actual payload. ClamAV has a good general-purpose scanning engine too, perhaps it could be adapted to scan vanilla plaintext emails for these telltail signs? Would be great for the milter interface - could reject the DATA outright (554 5.7.0 Go away, you f**king moronic end-luser.)

    2. Internet mail is abused again. So how long is it before port 25 blocking becomes mandatory? I don't mind at all, provided that I can immediately and easily unblock myself without question. It goes without saying, of course, that the process requires authentication and can't easily be automated by a computer program, although I suspect that wouldn't be too long in the works before the VXers break that, too.

    Cheers,

    Sabahattin

  13. Dr. Vesselin Bontchev

    Well, I *am* an expert

    (Google me, if you don't believe it.)

    This thing is a Trojan. It doesn't spread by itself at all - not by e-mail, not by any other way. It gets *sent* to the victim by the attacker. However, the "attacker" is just a compromised luser machine - part of a botnet used to send other kinds of e-mail (like spam), too. Attacking it is of no use.

    The e-mails themselves contain an URL to a site where the malware resides. However, this is usually just a compromised site, too, so attacking it isn't of much use, either. At best, it's worthwhile contacting the webmaster, although sometimes the webmaster doesn't care. Sometimes the hosting sides use fast-flux DNS to disguise themselves, so getting hold of the particular host can be tricky.

    As for those who think that "signature-based" (a *very* inaccurate term) scanning is helpless against this thing - see this ("Nuwar" is an alternate name for this very same family of Trojan horses):

    http://www.avertlabs.com/research/blog/index.php/2007/08/15/keeping-up-with-nuwar/

    Regards,

    Vesselin

  14. Matt W

    @ I *am* an expert

    Well, I'm reassured that experts, ostensibly with a doctorate, use terms like 'luser'. Go forth and multiply, troll.

  15. Sceptical Bastard

    Same old story

    "... the success of Storm relies on the ability to dupe recipients into clicking on links and installing programs..."

    Says it all, really <sigh>

  16. amanfromMars Silver badge

    Virtual Application .

    Hi, Doc [Dr. Vesselin Bontchev],

    Does the response here tell you how easy it is to hide the Truth in the Open? Are you into Virtualised TelePortation within Quantum Communications Channels PGP2 Programming for Transparent Security? ....The Movement of IDers to Realisation Centres?

  17. Anonymous Coward
    Anonymous Coward

    Re: Same old story

    Isn't it?

    Dozens of postcards, the last two sent by my parents from beyond the grave, were followed by emails from four strangers who claimed to know me well enough to want to provide links to pornographic pictures.

    Then I got membership details for four sites that somehow I can't remember signing up for.

    All variantions on the same theme.

  18. Dr. Vesselin Bontchev

    IP-based URLs

    Oh, BTW, those who proposed to block e-mails with IP-only URLs in them - the authors of these Trojan horses seem to have heard about this approach, too, and have changed their creation so that the approach no longer works:

    http://feeds.feedburner.com/~r/McafeeAvertLabsBlog/~3/147411266/

This topic is closed for new posts.