Storm switches tactics third time, adds rootkit

Computerworld - The ongoing Storm Trojan attack that began Monday has morphed again, security researchers said today, changing the malicious file's name, shifting to new malware hosting servers, and adding a rootkit to cloak the bot code from anti-virus software.

Spam messages attempting to dupe users into installing the bot-making Trojan now include links happycards2008.com or newyearcards2008.com, different URLs than in the second-wave attack that began Christmas Day. According to analysts at the SANS Institute's Internet Storm Center (ISC) and U.K.-based Prevx Ltd., the name of the file users are asked to download has also changed from Tuesday's "happy2008.exe." The file being shilled today is tagged to "happynewyear.exe."

More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx and an independent security researcher named Russ McRee have posted analyses of Storm's cloaking attempt.

[Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?)," said McRee on his HolisticInfoSec Web site. "No more hanging out in the open, easily seen."

Fortunately, said Giuliani, the rootkit is relatively old, and thus detectable by at least some security software. Neither is the move by Storm's makers to hide its components and operations from anti-virus programs a new thing: the Trojan began using rootkits months ago.

Giuliani also wondered why the domains hosting the Trojan had not been taken down. "If the attack is currently known and security companies are updating their software, why are these fake domains still active?" he asked in a post to the Prevx company blog. "If servers behind [these] sites are constantly changing so that it would be impossible to shut them down, these servers are reached by four well-known domains. Why, after four days, hasn't anyone successfully taken these domains down?"

According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domain is a "Bill Gudzon" of Los Angeles, Calif., but the contact phone number gave only a constant busy signal.

Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said Giuliani, has already detected more than 400 variants of the version now in circulation.

Read more about security in Computerworld's Security Knowledge Center.