A month ago I would have said the chances of a major e-mail worm outbreak were slim, but now the Storm worm is active again. Within the last week, the Storm worm has reinvented itself, not once but twice, making life difficult for e-mail administrators and antivirus vendors alike. The latest variant, released on Thursday, April 12, 2007, uses an image file to evade spam filters and unlock the encrypted ZIP file attachment which installs a rootkit. Indeed, within this single Storm worm, you'll find a crafty intersection of the classic e-mail worm, spam outbreaks, and denial-of-service attacks combined with new-fangled botnets, identity thefts, and online gang warfare. You would think that in 2007, we'd be beyond e-mail worms, that by now most people would know better than to open a password-protected ZIP file attachment from someone they may not know. Perhaps most people are simply out of practice, and the criminals behind Storm worm know that.
Old worm, new life
There are very few new worms being written these days, most are just variations on something else that worked. The Storm worm derives its media name from a harsh European winter storm in early 2007; the worm e-mail, circulating in northern Europe at that time, offered information about the resulting crises. But researchers at security vendor WebSense did some digging and found that the Storm worm (known by various names to antivirus vendors) had its origins earlier than that, perhaps as early as December 2006. The researchers found that the code being called "Peacomm" by Symantec, which Kaspersky and Trend Micro called "Small," was actually related to code given the name "Nuwar" back in 2006.
There are very few new worms being written these days, most are just variations on something else that worked.
Recently, Mitre.org created the Common Malware Enumeration, which seeks to classify worms and Trojan horses under a common designation. CME-711 refers to the Storm worm, and by visiting the Mitre site you can see how various antivirus vendors have labeled the previous variations of this worm: CA calls it "Peacoan," Esset calls it "Fudip," Norman calls it "Tibs," and F-Secure calls it "Zhelatin."
How the Storm worm works
By whatever name, CME-711 is making history. The classic part of the worm is an e-mail with various headers and attachment names; what's important is that you receive a password-protected, zipped file attachment in an e-mail consisting of an image file. Should you open the attachment and apply the displayed password, you'll become infected. The latest Storm worm installs a rootkit to hide itself from most antivirus and security applications, and it even shuts down your desktop security defenses. Then Storm worm calls out to its peer-to-peer network to download the latest instructions, such as upload any personal information it finds on your infected computer. Finally, Storm worm behaves in a very worm-like way, sending out copies of itself to any e-mail address it's able to find on your infected hard drive (that means, any e-mail address, it doesn't have to reside in your Outlook contact folder, it could be in your browser's cache as an HTML page).
Why is spam so hot? There's money in it, big money in being able to deliver thousands of e-mails.
It's the peer-to-peer connection that is interesting. Previously, worms such as SoBig dialed out to IRC servers to get updated information. IRC traffic can be spotted on the Internet, so botherders, the people who control botnets, have since switched to peer-to-peer connections, which are nearly impossible to track on the Internet. Botnets are groups of infected computers remotely controlled by an operator somewhere. Botnets have been used to launch distributed denial-of-service attacks on targeted Web sites, to relay spam broadcasts, or to steal personal information. Storm worm has been linked to all of these activities.
The Spam connection
Storm worm has been linked with several denial-of-service attacks against antispam sites, such as spamhaus.org and spamnation.info. WebSense also found, in its research, that the Storm worm conducted a denial-of-service attack against those believed responsible for hosting variations of the Warezov (or Stration) worm. Warezov is thought to have spread the most spam during the latter half of 2006.
Why is spam so hot? There's money in it, big money in being able to deliver thousands of e-mails. Better if large volumes of spam promised are distributed among thousands of computers worldwide. That way if some compromised PCs are blocked or shut down, others will surely get through, so the campaigns will still be successful.
Old rivalries die hard
We've seen virus-writing rivalries like this before. Back in 2005, the Netsky, MyDoom, and Bagel worms all chased each other around on the Internet, sometimes uninstalling rival code just to lay claim to an infected machine. But that was three years ago. What's changed since? There's more money, of course.
Netsky, Mydoom, and Bagel existed mostly to spread spam. Warezov and Storm exist to spread spam, but they also steal identities, conduct a denial-of-service attacks, and can be used for click fraud.
As with any virus or worm outbreak, it's important to have an Internet security suite--or at least an updated antivirus app and a personal firewall--installed and active. If anything, you should always be suspicious of e-mail attachments. Act on that suspicion, and scan every attachment before you open it. Otherwise, you may regret your actions. Why in this day and age are we still talking about e-mail viruses? TalkBack to me.