Detecting CME711 (Storm)
For those of you just joining us...
The trojan known as CME711 by Mitre, or Peacomm, Peed, Storm, and Nuwar, infects machines using social engineering. A user will receive an email with a half dozen or less lines of text. The email suggests the user will receive a greeting card, free game, or music sharing software. Other social engineering spams attributed to Storm have been placed on blogs and webpages.
More often than not, unsuspecting users will click the link provided in these emails or blogs. For those who are unlucky enough to have not applied patches to their operating system or third party software, the authors of this trojan have left a special treat - a javascript ripped from the Mpack suit.
When an unpatched user visits an Mpack infected site, they are infected with a host of malware. No user interaction is required for infection.
For those who have applied all patches, the authors have created a professional looking webpage that may spark your interest and have you clicking links. Either way, the end result is an infection, and your PC is turned into a zombie for the Storm botnet.
The botnet communicates using the same peer to peer technology as many file sharing applications like Gnutella and EDonkey. Since it uses this technology, it is hard to determine where botnet commands originate or how many zombies are a part of this botnet. Due to the peer to peer structure, locating the person controlling this network is very difficult. Worse still, the commands issued by the botnet controller are encrypted. The network uses DNS Double FastFlux to keep researchers from shutting the malware distribution points. Over 40,000 unique IP addresses have been seen by DISOG in the last 6 months serving malicious code for Storm. The Storm botnet is truly a global pest.
Many people have written in and asked for quick ways to detect if they are infected with Storm. This is difficult because Storm uses rootkit technology, to add to the misery, the code morphs every 30 to 60 seconds. This means you are unlikely to infect yourself with the same piece of code twice.
I've tested a few of the freely available rootkit detectors, and have come up with this pattern for tests:
Install rootkit detector -> run test -> reboot -> run test again.
Sophos rootkit detector and gmer both detected the hidden files after reboot, but neither detected on the first test.
Many people are reluctant to install another piece of software and I can understand why, so I decided to test the current version of Storm's file hiding technology. What I found is that you're able to determine if you've been infected by creating one file, and then trying to list that file using the dos directory (dir) command. You are also able to do this from the GUI, however the results are a little less obvious.
For this test, click start->run and type "cmd" (without quotes). A Command Prompt window
will appear. Next you will want to create a file called spooldr.test. Do so by typing 'copy con spooldr.test'. Nothing will appear to happen, you will just be pushed to a blank line below your copy con command. Type something random and press enter. Then press the F6 key. You will see ^Z and '1 file(s) copied.' then you will be returned to your command prompt (C:\Documents and Settings\whatever\>) again. What you've just done is created a file with whatever text you typed on the blank line, just like if you created a new file in notepad and saved it.
Type 'dir spooldr.test'. If you're able to see the file with the current date and time, you're not infected with this version of Storm. If you can't list this file, you're probably infected, and need to seek professional help for removal.
It is trivial for the Storm authors to change their tactics and use another pattern for hiding their files. (SEE UPDATE BELOW!) I will try to keep on top of any changes and post them here - for now this should work on most systems. I could have written a program to do this for you and I am sure someone else will. However I believe in education, and you just can't learn anything if someone does all the work for you.
My first test was to run the most recent version of Storm as a normal, unprivileged user. The bot did make contact with the Storm network, however the rootkit function did not work, and I was able to see the spooldr.cfg file, which contains the current list of peers assigned to my computer. Upon reboot the software did not restart, so my machine did not participate with the botnet any longer. Running the code as administrator was when it became dangerous. Security experts have long recommended using a non-privlidged account for normal operations and only logging in as administrator when absolutely necessary. As if you needed another reason, right?
UPDATE:
McAfee is reporting the filenames have changed from spooldr.* to noskrnl.*. They also reminded us that wincom.* was used towards the beginning of the year. Its doubtful they changed the name based on this blogpost. More likely it was just good timing. I just grabbed a new binary and its still using spooldr.* - to be safe, try all three files.
The trojan known as CME711 by Mitre, or Peacomm, Peed, Storm, and Nuwar, infects machines using social engineering. A user will receive an email with a half dozen or less lines of text. The email suggests the user will receive a greeting card, free game, or music sharing software. Other social engineering spams attributed to Storm have been placed on blogs and webpages.
More often than not, unsuspecting users will click the link provided in these emails or blogs. For those who are unlucky enough to have not applied patches to their operating system or third party software, the authors of this trojan have left a special treat - a javascript ripped from the Mpack suit.
When an unpatched user visits an Mpack infected site, they are infected with a host of malware. No user interaction is required for infection.
For those who have applied all patches, the authors have created a professional looking webpage that may spark your interest and have you clicking links. Either way, the end result is an infection, and your PC is turned into a zombie for the Storm botnet.
The botnet communicates using the same peer to peer technology as many file sharing applications like Gnutella and EDonkey. Since it uses this technology, it is hard to determine where botnet commands originate or how many zombies are a part of this botnet. Due to the peer to peer structure, locating the person controlling this network is very difficult. Worse still, the commands issued by the botnet controller are encrypted. The network uses DNS Double FastFlux to keep researchers from shutting the malware distribution points. Over 40,000 unique IP addresses have been seen by DISOG in the last 6 months serving malicious code for Storm. The Storm botnet is truly a global pest.
Many people have written in and asked for quick ways to detect if they are infected with Storm. This is difficult because Storm uses rootkit technology, to add to the misery, the code morphs every 30 to 60 seconds. This means you are unlikely to infect yourself with the same piece of code twice.
I've tested a few of the freely available rootkit detectors, and have come up with this pattern for tests:
Install rootkit detector -> run test -> reboot -> run test again.Sophos rootkit detector and gmer both detected the hidden files after reboot, but neither detected on the first test.
Many people are reluctant to install another piece of software and I can understand why, so I decided to test the current version of Storm's file hiding technology. What I found is that you're able to determine if you've been infected by creating one file, and then trying to list that file using the dos directory (dir) command. You are also able to do this from the GUI, however the results are a little less obvious.
For this test, click start->run and type "cmd" (without quotes). A Command Prompt window
will appear. Next you will want to create a file called spooldr.test. Do so by typing 'copy con spooldr.test'. Nothing will appear to happen, you will just be pushed to a blank line below your copy con command. Type something random and press enter. Then press the F6 key. You will see ^Z and '1 file(s) copied.' then you will be returned to your command prompt (C:\Documents and Settings\whatever\>) again. What you've just done is created a file with whatever text you typed on the blank line, just like if you created a new file in notepad and saved it.Type 'dir spooldr.test'. If you're able to see the file with the current date and time, you're not infected with this version of Storm. If you can't list this file, you're probably infected, and need to seek professional help for removal.
It is trivial for the Storm authors to change their tactics and use another pattern for hiding their files. (SEE UPDATE BELOW!) I will try to keep on top of any changes and post them here - for now this should work on most systems. I could have written a program to do this for you and I am sure someone else will. However I believe in education, and you just can't learn anything if someone does all the work for you.
My first test was to run the most recent version of Storm as a normal, unprivileged user. The bot did make contact with the Storm network, however the rootkit function did not work, and I was able to see the spooldr.cfg file, which contains the current list of peers assigned to my computer. Upon reboot the software did not restart, so my machine did not participate with the botnet any longer. Running the code as administrator was when it became dangerous. Security experts have long recommended using a non-privlidged account for normal operations and only logging in as administrator when absolutely necessary. As if you needed another reason, right?
UPDATE:
McAfee is reporting the filenames have changed from spooldr.* to noskrnl.*. They also reminded us that wincom.* was used towards the beginning of the year. Its doubtful they changed the name based on this blogpost. More likely it was just good timing. I just grabbed a new binary and its still using spooldr.* - to be safe, try all three files.
Labels: CME711, MPACK, nuwar, peacomm, peed, rookits, Storm, targeted malware
posted by Nicholas at
22:52
1 Comments:
Super Laugh again ??????
I check ptowl.com and i see psyco kitty cat again....
Storm worm returning back with old page ?????????
Edgar
Post a Comment
<< Home