The Storm Worm would love to infect you

The Storm Worm would love to infect you

Summary: The Storm Worm malware is back in the game, with its most recent campaign currently active and trying to entice users into executing iloveyou.exe by spamming them with links to already infected hosts acting as web servers, next to SQL injecting malicious domains into legitimate sites for the campaign to scale faster.

SHARE:

The Storm Worm malware is back in the game, with its most recent campaign currently active and trying to entice users into executing iloveyou.exe by spamming them with links to already infected hosts acting as web servers, next to SQL injecting malicious domains into legitimate sites for the campaign to scale faster.

The Storm Worm Malware

What has changed compared to previous campaigns? Storm Worm is back in the SQL injection attack phrase, with tellicolakerealty .cn/ind.php iframe injected at a small of sites for the time being. Moreover, assessing the storm worm infected hosts can only be done if you spoof your user agent to Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921), otherwise you will get no indication for any kind of malicious activity going on. Furthermore, despite that there are no exploits used at the infected hosts but, a heavily obfuscated HTML/Rce.Gen was detected in their injected domain which would load automatically upon someone visiting an already injected site.

The Storm Worm Malware

These are the most recent detection rates for both, the binary, and the javascript obfuscation :

Javascript obfuscation Scanners result : 6/32 (18.75%) HTML/Rce.Gen; Packed.JS.Agent.a

iloveyou.exe Scanners result : 10/32 (31.25%) Email-Worm.Win32.Zhelatin.yu; Trojan.Peed.PJ

Compared to the previous event-based social engineering campaigns on behalf of Storm Worm, the latest wave of malware isn't thematic at all. It remains to be seen whether or not they would start emphasizing on SQL injections to acquire new infected hosts given the success of the copycats and the Asprox botnet, or continue using email as the primary distribution vector.

Topics: Malware, Browser, Hardware, Security, Servers, Software, Windows

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Um... It this page a stormworm vector??

    It certanly looks suspicious
    Dreamer.fithp
    • Re: Um... It this page a stormworm vector??

      Yes it is, some of the storm worm binaries are phoning back home to some of these domains.
      ddanchev
  • RE: The Storm Worm would love to infect you

    But this is just scratching the surface :) Which part confused you the most? Storm Worm is active again so if you receive love related emails prompting you to visit a web site in the form of an IP address, don't visit it. The scanners result means that a copy of the malware was obtained and scanned with 32 anti-malware scanners, out of which only 10 were detecting it when last checked, this is signatures based scanning only.
    ddanchev
    • I could have mentioned Tufte as well

      Sir, I think you do have a deep understanding of the subject.
      Some of the problem arises in the blog's graphical layout; it is
      cluttered and arhythmic and does not help the reader grab and
      understand the main points. There is also some awkwardness
      in your sentence and paragraph construction.

      For instance, in the above, "Which part confused you the most,"
      suggests you know that there are three or more confusing
      parts in the article. Weren't you intending to ask what parts of
      the article were confusing?

      The final sentence. The final sentence would vex the most
      practiced of sentence diagrammers. Maybe what you mean is:
      as you can see from these results, only 10 of the 32 scanners
      detected the malware, showing how poorly signature-based
      scanning works. The last clause could be deleted because the
      intelligent reader will get the significance of the 10 in 32
      number. Shorter alternative: only 10 of the 32 signature-based
      scanners, in a recent test, detected the malware.

      I see the others are yelling it's time to go. Let me suggest that
      ZDNet needs to pair you with someone to help you shape your
      blogs so they effectively communicate your expertise. Here's
      another suggestion, get a copy, as soon as you can, of the K&R
      of English writing: Strunk & White's The Elements of Style. It will
      not transform your writing into the golden prose of an F. Scott
      Fitzgerald, I'm proof enough of that, but your writing will be
      better.
      DannyO_0x98
  • confused!

    ok, this is clear as mud

    1) what are the search engine hits supposed to show?

    2) what does "Moreover, assessing the storm worm infected hosts can only be done if you spoof your user agent to Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921), otherwise you will get no indication for any kind of malicious activity going on" mean?

    3) what's the point of the blue screen of acsii code?
    CaptOska
    • Re: confused!

      1) what are the search engine hits supposed to show?

      That next to using email as propagation, a domain has also been injected at a number of sites part of storm worm's latest campaign.

      2) what does "Moreover, assessing the storm worm infected hosts can only be done if you spoof your user agent to Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921), otherwise you will get no indication for any kind of malicious activity going on" mean?

      It means that if you visit an infected site with a different browser, you will get no indication that it's malicious, this is done in order to make it more tricky for a researcher to obtain a sample and analyze it, as well as for an automated tools that obtain the malware.

      3) what's the point of the blue screen of acsii code?

      this is the javascript obfuscation used to serve the exploit, the screenshot is mostly for historical preservation, and an indication for the use of commercial obfuscating tools. In the past the obfuscaton used offensive language against one antivirus vendor :

      http://ddanchev.blogspot.com/2007/08/offensive-storm-worm-obfuscation.html
      ddanchev
  • RE: The Storm Worm would love to infect you

    I guess if you know what this means, then this is a really good post.
    cwallen19803@...
    • RE: The Storm Worm would love to infect you

      Exactly.
      ddanchev
    • It may a "learned" post, but it fails in basic communications

      But unless it contained the explanations offered in the comments, it's techno-babble, and seems to indicate the lack of interest in broad communication ZDnet should be providing.

      Any article -pseudo-news or not, that attempts to communication to a broad audience should strive for clarity.

      davemc
      dave.mc
  • Which scanners detect?

    You state "the malware was obtained and scanned with 32 anti-malware scanners, out of which only 10 were detecting"

    Can you list which scanners *are* currently detecting?
    connell@...
    • Re: Which scanners detect?

      As I've pointed out this is signatures based scanning only, and with Storm Worm introducing new binaries on newly infected hosts the signatures based detection rate is different. For instance, the sample that was detected by 10 scanners yesterday is now detected by 19. On the other hand, a new sample obtained is detected by 12 vendors only :

      AntiVir 7.8.0.19 2008.05.20 Worm/Zhelatin.yw
      AVG 7.5.0.516 2008.05.20 I-Worm/Nuwar.R
      BitDefender 7.2 2008.05.20 Trojan.Peed.PJ
      DrWeb 4.44.0.09170 2008.05.20 Trojan.Packed.468
      eSafe 7.0.15.0 2008.05.20 Suspicious File
      eTrust-Vet 31.4.5806 2008.05.20 Win32/Sintun.EY
      F-Secure 6.70.13260.0 2008.05.20 Trojan-Downloader.Win32.Cntr.bs
      Kaspersky 7.0.0.125 2008.05.20 Trojan-Downloader.Win32.Cntr.bs
      Microsoft 1.3520 2008.05.20 Backdoor:Win32/Nuwar.A
      Sophos 4.29.0 2008.05.20 Mal/TibsPak
      VirusBuster 4.3.26:9 2008.05.20 Worm.DR.Zhelatin.Gen!Pac.9
      Webwasher-Gateway 6.6.2 2008.05.20 Worm.Zhelatin.yw
      ddanchev
      • Symantec not getting new samples?

        NT
        kolvas
  • RE: The Storm Worm would love to infect you

    Just like getting VD.
    phatkat
  • RE: The Storm Worm would love to infect you

    I understood about 1/3 of this article. Even those parts really said nothing. I don't want to knock the author because (IMO) he isn't primarily English speaking. I'd rather knock the guy that gave him this assignment and then shot the person that was in charge of letting this be posted without any review. If someone DID review it, they should be added to the firing squad queue.
    DCMann
    • Ditto - Non-English native speaker Tech Writing is Difficult

      I came to the same conclusion.
      This appears to be written by a non-native English speaker who probably speaks my native language 100X better than I speak his.

      Tech writing can be a challenge even in one's native language.

      I found the article at least timely with some important details that helped me understand a bit of suspicious activity flagged by my IDS and SIEM that I might otherwise have written off as innocous.

      Now as for the editor (if there was one), tsk, tsk.
      david.swift@...
    • Made sense to me

      The story is made up of three bullet points that make sense if you are familiar with those topics. It all made sense to me and was informative.

      Where the article falls short is in assuming everyone reading the blog here is familiar with the topics. Some background and explanation of what it means would have been helpful.
      notlob
  • RE: The Storm Worm would love to infect you

    To the author:
    Use short sentences.
    We are all smart, but expertise often/usually in another field, so don't be rude and speak in a language decipherable only to a narrow expert.
    If you want to be admired, and praised, explain the details, the implications and , for crying out loud, tell us what has to be done to avoid getting this infection. Otherwise, your whole blog is garbage and of no practical value.

    Don't be pissed at the criticism, correct your glaring shortcomings, emerge a better friend to the whole community.
    pessimist
  • RE: The Storm Worm would love to infect you

    This started as one of the worst blogs/threads I've seen on
    ZDNET, but became one of the best. Why?, because people
    didn't flame. rant or insult, instead they made cogent
    comments and suggestions. The author listened and
    responded. We all learned more. This is what we all need.
    Thanks to all contributors. Editors, please take note!
    TechTeach_z
  • The story isn't badly written, just technical

    I had no problem understanding it. I'm sure there are plenty of other sufficiently dumbed-down articles available on this topic on the web.

    -It says that Storm is back.
    -Storm is once again using SQL injection attacks, but unless you spoof a specific class of browser & OS, you won't really notice that a particular website has been tainted.
    -This current tack the Storm authors are taking on trying to infect users (by compromising SQL servers and attacking exploitable browsers that visit websites served by infected databases) isn't as targeted as previous approaches to spreading their malware where they sent malware-laden emails that were targeted to trick particular demographics.
    -The previous distribution method for Storm had been malware-laden emails; this current approach is to host the malware in compromised databases on webservers, and to trick the gullible users into following a link to the malware.


    The grammar in this article is good, but a bit on the complex side. Not so complex that it should be difficult for a native English speaker. Those who have trouble with it for other reasons than failure to understand the terminology shouldn't be complaining about other people's writing, they should work on their comprehension skills.

    On a related note, I find it amusing how nearly all of the xenophobic kooks who spout off about English being the USA's official language seem to exhibit a profound lack of proficiency in English themselves.
    pyrr
    • English being the USA's official language

      Actually, English is not the USA's official language, rather, the language of the USA is "General American". The difference, perhaps, escapes many people, except if one happens to be English.
      http://en.wikipedia.org/wiki/Received_Pronunciation
      The most familiar and obvious is the emphasis on "r" at the end of words like "weather". The "r" IN ENGLISH is not pronounced, but it is in NA RP
      RP is a non-rhotic accent, meaning /r/ does not occur unless followed immediately by a vowel.

      http://en.wikipedia.org/wiki/General_American
      Mahegan