The Storm Worm
News Alert: 230 Dead As Storm Batters Europe
Or, at least, that’s what one of the latest subject lines of a new worm that, according to F-Secure, is battering the shores of the Internet. I have received mixed reports on the actual widespread damage that this is actually causing, but it is a threat nonetheless and it’s my job to keep you all informed.
The Storm Worm, Small.DAM and W32/Nuwar worm are using current news topics as the “hook” in e-mail subject lines to lure unsuspecting users into opening the .exe payload attachments. Subject lines, such as one of the following, have all been used:
- “A Killer at 11”
- “He’s free at 21″
- “British Muslims Genocide”
- “Naked Teens Attack Home Director”
- “U.S. Secretary of State Condoleezza Rice Has Kicked German Chancellor Angela Merkel”
- “Castro is Dead”
Attached to these enticing e-mails are executable files with titles that seem to further the facade with promises, such as a “Live Video,” “Full Clip” or “Full Story.” You get the point and hopefully, you know these attachments are the viruses. The virus opens a back door, allowing remote access to your system for unwanted and unknown uses.
The worm also installs a rootkit, which if you’re not familiar, is a type of virus that installs to the kernel of the operating system and hides certain files so they can go on working undisturbed and un-noticed. The infected machine also becomes a zombie in a botnet network of infected PCs that work together for a common purpose. In most botnets, the PCs communicate with one central server, which if located and dismantled, will render the botnet useless.
In the case of the Storm Worm, the bot network is more peer to peer in nature with no centralized server. This creates new problems in stopping the network, if discovered, because if some of the machines are disabled, the network can cut its losses and continue with the mission. Another unique characteristic of the Storm Worm’s networking is the subset of IP addresses that it has. In order to cover its trail, the infected PCs do not contain a list of all the IP addresses of the PCs in its botnet, but rather, a limited number of 30 to 35 or so. This keeps the botnet, if discovered, from revealing too much about the other machines and the network in general so that the rest of the undiscovered network is safe.
In addition to this, the botnet also is a very motivated updater. In some cases, receiving more than an update an hour. Geesh! That could be a problem for antivirus companies to try and come up with virus signatures.
Well, so far, this seems like a threat. It’s almost like an uber virus. It has a solution to all of our conventional practices that can stop such a threat. I don’t think this is entirely true though. There is one huge oversight that the creators of the Storm Worm, in my opinion, have failed to notice and this is the reason some security experts are saying the home users, not the corporate world, will see more damage from this viral attack. The reason is simple. It is an executable file attached to an unsolicited e-mail from an unknown source, which means what?
It means, under no circumstance, should it ever be opened. This is the oldest trick in the virus book and you all should know better. In addition to this, most ISPs and Webmail providers are going to scrutinize an executable attachment sent in an e-mail.
This means it always comes back to fundamentals. Don’t open attachments that you don’t expect and you should be safe. If you do, for some reason, download them, scan them before opening them with your installed antivirus program and you should be good to go.
If you do see something interesting in the subject line and are intrigued to the point of insanity, open up a Web browser and do a search for the topic and read it outside of your e-mail.
If you do find that you have been infected, the best thing to do at this point is to go to your antivirus vendor’s Web site and look up the threat. You may be able to do an online scanner or some other procedure to remove the virus from your system.
That’s all I have for you today. Until next week, stay away from those attachments!
~ Chad Stelnicki