Storm switches tactics third time, adds rootkit
Domains spreading Trojan registered in Russia, remain online in plain sight
Computerworld - The ongoing Storm Trojan attack that began Monday has morphed again, security researchers said today, changing the malicious file's name, shifting to new malware hosting servers, and adding a rootkit to cloak the bot code from anti-virus software.
Spam messages attempting to dupe users into installing the bot-making Trojan now include links happycards2008.com or newyearcards2008.com, different URLs than in the second-wave attack that began Christmas Day. According to analysts at the SANS Institute's Internet Storm Center (ISC) and U.K.-based Prevx Ltd., the name of the file users are asked to download has also changed from Tuesday's "happy2008.exe." The file being shilled today is tagged to "happynewyear.exe."
More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx and an independent security researcher named Russ McRee have posted analyses of Storm's cloaking attempt.
[Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?)," said McRee on his HolisticInfoSec Web site. "No more hanging out in the open, easily seen."
Fortunately, said Giuliani, the rootkit is relatively old, and thus detectable by at least some security software. Neither is the move by Storm's makers to hide its components and operations from anti-virus programs a new thing: the Trojan began using rootkits months ago.
Giuliani also wondered why the domains hosting the Trojan had not been taken down. "If the attack is currently known and security companies are updating their software, why are these fake domains still active?" he asked in a post to the Prevx company blog. "If servers behind [these] sites are constantly changing so that it would be impossible to shut them down, these servers are reached by four well-known domains. Why, after four days, hasn't anyone successfully taken these domains down?"
According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domain is a "Bill Gudzon" of Los Angeles, Calif., but the contact phone number gave only a constant busy signal.
Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said Giuliani, has already detected more than 400 variants of the version now in circulation.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts