February 2008

Bad Behavior

This month’s malware pick, highlighted in order to help you understand how to keep it off your system, is the notorious web nasty commonly known as “Storm Worm.” At Lavasoft, we classify it as “Win32.Worm.Zhelatin.” Storm Worm’s reign shows no sign of coming to an end, as the already-massive Storm botnet (the infected machines controlled by Storm’s creators) is growing daily.

Understanding the Threat
What type of malware are we dealing with? While this threat is frequently referred to as “Storm Worm,” it is technically not a worm; according to Lavasoft researchers, Storm is actually a download Trojan.

The name “Storm” was coined in January 2007, when the threat was first spotted in e-mail messages claiming to have news of the deadly storms plaguing Europe at that time. Since then, it has changed tactics numerous times to mimic current events and news stories. One of its most recent spam attacks was targeted towards Valentine’s Day. While size estimates vary, some researchers believe that the Storm Worm botnet is made up of more than one million infected machines, making it one of the largest known botnets.

The Bad Behavior
Storm Worm’s method of operation is to use social engineering to infect users, compromise PCs, and ultimately form a botnet used to propagate cyber crime.

Here’s how it works: the computer user receives a spam message, disguised as an e-greeting card, news article, or notification of other current event in an attempt to con the person into installing the botnet-forming Trojan. The recipient becomes infected after opening an attachment or clicking on a link in the message. While it is a less common method, Storm has also been known to spread through website exploits. Either way, the compromised computer becomes part of a botnet – a network of zombie computers controlled remotely – which is then used to spread more malware.

This relatively simple method of attack has resulted in an astounding success rate. Part of Storm Worm’s proliferation is due to its tendency to change tactics by way of releasing new variants, changing e-mail subject lines, and altering the malicious file’s name.

To make matters worse, according to reports, the Storm botnet acts on the defensive; it has displayed behavior that indicates its controllers actively protect the botnet against efforts to track or interrupt it. According to researchers, investigation of the file has been known to be prevented by the Trojan calling home, resulting in the botnet launching a DDoS attack on the IP address of whoever is probing is.

Winning Strategies
To avoid getting infected and becoming part of the growing Storm botnet, it is critical that home users install up-to-date firewalls, anti-virus and anti-spyware software, patch operating systems and applications against known vulnerabilities, and be cautious when opening e-mail.

A few more tips:

  • Use extreme caution when opening attached files or clicking on links in e-mail messages. Even if you use a reliable anti-spam program, do not let your guard down. The Storm Worm is constantly updated by malware authors, changing tactics to manipulate innocent users and entice them to open attachments or to visit infection-hosting websites.
  • Play it safe by getting your news from legitimate sources. No matter how tempting the subject line is, do not click on links or download attachments in unsolicited e-mail messages promising to deliver news about current events and issues.
  • While you may love to get online greeting cards from friends and family, you need to be especially cautious of these types of messages. This month, lookout for messages taking advantage of the upcoming Valentine’s Day holiday. Many e-card service providers, such as Hallmark, have helpful information on their websites that you can you use to check the validity of electronic greetings. Take a look at these types of tips before opening e-mail attachments or clicking URLs within a message.
Paragon Drive Backup 8.5 Personal Edition More Info Buy Now

Research indicates that the Storm Worm botnet increased in size by over 200% due to seasonal spam blasts surrounding Christmas and New Year’s Eve. Following a pre-Valentine’s Day surge, Storm made up 8% of overall e-mail traffic.
Source: Honeyblog.org, Sophos

An exploit is a piece of software that takes advantage of a hole or vulnerability in a computer user’s system in order to gain unauthorized access to the system.
Source: Anti-Spyware Coalition Glossary

You hear time and time again about the importance of keeping your computer patched against known vulnerabilities. Find out how to stay up-to-date.

“I just wanted to tell you what an amazing line of products you have. Many times [Ad-Aware 2007] has saved my computer from a total crash, or me the hassle of wiping the hard disk clean. It finds so many things: malware, adware, spyware and malicious email attachments, Trojans, monitoring tools and back-door viruses, things that are so hard for me to find on my own. Thank you, really. You make my life so much easier.”
S. Black (Setsuna, Kansas, USA)

Lavasoft AB Lilla Bommen 1, 411 04 Gothenburg, Sweden | www.lavasoft.com | editor@lavasoft.com