[ISN] Storm Worm the 'syphilis' of computers

From: InfoSec News (alerts@private)
Date: Tue Oct 16 2007 - 00:34:57 PDT


http://www.thestar.com/Business/article/266834

By Chris Sorensen
Business Reporter
Oct 15, 2007

This year's NFL season arrived with a twist for millions of computer 
users, who discovered emails in their inboxes advertising free "online 
game trackers" and links to an official-looking website adorned with the 
National Football League's logo.

Fans who tried to download the program from the compromised website 
unwittingly infected their computers with a version of the Storm Worm, a 
malicious piece of software that, despite being flagged more than half a 
year earlier, has proven to be remarkably resilient.

Once installed, the "malware" drafts the unwitting user's computer into 
a vast army of infected machines that can be remotely instructed to 
spread Storm Worm, shut down Internet sites or pump out millions of spam 
emails promoting everything from stock market scams to sketchy 
pharmaceuticals – usually without the user's knowledge.

But experts fear the Storm Worm, or something similar, could one day be 
used for more sinister purposes.

"It's not so much this particular threat itself," says Dean Turner, the 
director of Symantec Corp.'s Global Intelligence Network, which sells 
computer security services, "but the possibilities that it presents for 
attackers."

He speculates the Storm Worm could be used to deliver sophisticated 
programs to computers that are designed to monitor keystrokes and steal 
confidential information such as online bank user names and passwords, 
personal tax information and just about anything else stored on people's 
hard drives. The confidential data could then be transferred to a 
central computer server and sold to criminals, leaving little or no 
trail, he said.

The Storm Worm is unique among malware since its purpose isn't to create 
havoc and headlines, thereby showcasing the prowess of its creators, but 
to make them rich by quietly taking control of other people's machines.

"The threat environment now is dominated by profit," says Turner. "It's 
not that the hackers have all of a sudden turned into a bunch of 
criminals, it's that the criminals are finally starting to leverage the 
technology available to them."

Estimated to have infected at least a million machines, the Storm Worm 
is believed to have been created in Russia and so far appears to be 
focused on building a large botnet, a network of hijacked "zombie" 
computers. A botnet is centrally controlled and can be used to send spam 
to millions of inboxes – either by the worm's creators, or by 
less-than-reputable individuals or firms willing to pay money to access 
the hijacked network.

While that may not sound like a terribly lucrative criminal activity, 
the unique economics of spam means there's big money to be made even if 
only a tiny percentage of the millions of emailed advertisements 
actually result in a sale. That's because emails cost next to nothing to 
produce and distribute – particularly if they are sent using a network 
of hijacked machines.

Graham Cluley, a senior technology consultant for anti-virus firm Sophos 
PLC, says his company estimates that more than 90 per cent of all spam, 
and more than 80 per cent of all infected Web pages, come from computers 
that have been "borrowed" by cyber criminals.

The Storm Worm first made headlines in January when emails with the 
subject line "230 dead as storm batters Europe" landed in inboxes around 
the globe, hence the name "Storm Worm." When users clicked on a link 
that promised a video clip, they were instead taken to a compromised 
website that downloaded a copy of the Storm Worm onto their computer. 
Because the original email contained no attachments or other suspicious 
attributes, it tended to be ignored by security software.

The attack was noted for its timeliness since it came on the heels of a 
killer European storm. Subsequent variants have also tried to cash in on 
current events, offering titillating headlines with the following 
subject lines: "A killer at 11, he's free at 21," "British Muslims 
Genocide," and "Naked teens attack home director."

Later versions came with subject lines that preyed on people's 
loneliness – "Want to Meet?" – while still others spuriously claimed 
that a user's computer had already been infected with a worm. The 
recommended fix? A downloadable patch that was actually a version of the 
Storm Worm.

The most recent bait involved emails that purported to contain links to 
YouTube videos in a bid take advantage of the video sharing site's 
soaring popularity.

But while those behind the Storm Worm have demonstrated considerable 
skill in social engineering, observers are equally impressed with the 
worm's design and method of propagating itself.

Unlike other botnets, the network of computers created by the Storm Worm 
communicates through a peer-to-peer network like one often used to swap 
digital music files. That makes it difficult to trace and disable since 
there is no centralized command-and-control point. "It's about being 
able to operate from a widely distributed and ever moving target," says 
Cluley.

As well, the code used by the Storm Worm to spread itself morphs 
constantly, making typical anti-virus techniques less effective.

Finally, the Storm Worm's use of compromised Web pages to spread its 
malicious code is part of a larger trend away from emailed attachments, 
which are now difficult to get through security barriers.

"Increasingly, we're seeing trusted websites being compromised," says 
Symantec's Turner, who predicts that one day we'll be talking about 
"white-listed," or safe sites instead of black-listed ones.

In a recent column in Wired Magazine, Bruce Schneier, a security 
specialist and author, dubbed the worm the "future of malware" and 
compared it to a difficult-to-detect but potentially deadly illness. 
"Symptoms don't appear immediately, and an infected computer can sit 
dormant for a long time," he wrote. "If it were a disease, it would be 
more like syphilis, whose symptoms may be mild or disappear altogether, 
but which will eventually come back years later and eat your brain."

Others aren't convinced that the Storm Worm is really all that special – 
at least on a technical level.

"As far as malware goes, it's not particularly new and doesn't have any 
cutting-edge functionality," says Dave Marcus, a security research and 
communications manager for McAfee Avert Labs.

Marcus acknowledges that the Storm Worm has proven to be a favourite of 
hackers.

"I think Storm has just been popular simply because it's been so 
successful."



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Tue Oct 16 2007 - 00:57:03 PDT