Storm Worm: third round

Hello there,

We're at our third episode of "Stormy: the Christmas lover".

Outbreak is still going on, even if looks like the impact of the attack is slowly reducing.

Until now, we've monitored in our database more than 400 variants of the third Stormy version we've seen in these four days and we're seeing since some hours a fourth version, using another different and custom made runtime packer.

Other two domains has been registered and opened to drop Stormy and the file names are now: happy-2008.exe and happynewyear.exe.

Last versions of Stormy worm are using a rootkit component to hide infection components.

After launched, the dropper create a new service and a driver under Windows System directory called clean[4 random chars]-[4 random chars].sys or bldy[4 random chars]-[4 random chars].sys

Driver will hook three Windows native API: ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile. Goal is to hide its registry keys and files.

As side effect, it'll hide every file that contains the strings "clean" or "bldy" in its name.

Then, about 135KB of code is injected from the driver into services.exe process. Worm collects e-mails from files with these extensions:

• .adb
• .asp
• .cfg
• .cgi
• .dat
• .dbx
• .dhtm
• .eml
• .htm
• .jsp
• .lst
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .pl
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .wab
• .wsh
• .xls
• .xml

Spam routine will avoid to send e-mail to e-mail addresses containing one of these strings:

• @avp.
• @foo
• @iana
• @messagelab
• @microsoft
• abuse
• admin
• anyone@
• bsd
• bugs@
• cafee
• certific
• contract@
• feste
• free-av
• f-secur
• gold-certs@
• google
• help@
• icrosoft
• info@
• kasp
• linux
• listserv
• local
• news
• nobody@
• noone@
• noreply
• ntivi
• panda
• pgp
• postmaster@
• rating@
• root@
• samples
• sopho
• spam
• support
• unix
• update
• winrar
• winzip

E-mail sent can contain on the subject or on the body one of strings listed below:

• Happy New Year To You!
• Wishes for the new year
• Opportunities for the new year
• New Year Postcard
• New Year Ecard
• New Year wishes for you
• Happy New Year To You!
• Message for new year
• Blasting new year
• As you embrace another new year
• It's the new Year
• As the new year...
• Happy 2008 To You!
• Joyous new year
• Lots of greetings on new year
• A fresh new year

even mixed together each other or with receiver address into the body. Body will contain link to last two registered domain: happycards2008.com or newyearcards2008.com.

A random UDP port is then opened so that the infected PC can join to a huge botnet. Port opened is listed into the file clean.config, created by the malware under Windows System directory and hidden by the rootkit.

Technique used by Stormy rootkit to hide its components is quite old and detected by Prevx CSI easily.

If the attack is currently known - technically speaking - and security companies are updating their software , now a question arises: why are these fake domains still active? If servers behind website are costantly changing so that it would be impossible to shut them down, these servers are reached by four well known domains. Why, after four days, hasn't anyone succesfully taken these domains down?

Only cooperation between security companies, ISP and law enforcement agencies can become the deadly weapon against these teams who write malware and who could potentially shut down several crucial international servers with their botnet.

Hoping that smell of money wouldn't persuade anyone to not collaborate.