SrichNET

This is a white paper i did for uni last semester that i’m actually quite proud of. A lot of research and work went into it and amazingly i had fun doing it too. Its quite an eye opener.

Abstract— this paper will discuss and disseminate how the Storm Worm operates and the most current forms of mitigation and removal. Considering that its success can be largely attributed to the number of ways in which it can distribute itself, stay aware of the environment it is in, and the use of some intriguing techniques to avoid termination this worm in particular calls for caution.

You can download the PDF version HERE or continue on to read the rest.

Abstract— this paper will discuss and disseminate how the Storm Worm operates and the most current forms of mitigation and removal. Considering that its success can be largely attributed to the number of ways in which it can distribute itself, stay aware of the environment it is in, and the use of some intriguing techniques to avoid termination this worm in particular calls for caution.

I. Disclaimer

This paper assumes that the reader has a respectable amount of knowledge on such topics as worms and other malware, Microsoft Windows and a fairly deep knowledge on how the internet works.

It is worth noting that malware of this calibre update and change very quickly, and are also edited slightly by other parties and sent back out into the wild. It is simply impossible to dissect very iteration of the Storm Worm, therefore the scope of this paper will only contain the technologies used by the version of the worm this paper was written about, plus any findings posted by other people (whom are duly referenced) which were major enough to write about.

II. Introduction

“This doesn’t seem to have received much attention, but the world’s most powerful supercomputer entered operation recently. Comprising between 1 and 50 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system.” Peter Gutmann, 31^st August 2007.^[1]

Discovered on January 17^th, 2007^[2] the Storm Worm sought to become one of the most pervasive and successful viral applications the world as ever seen. It was estimated that in its peak the Storm Worm had infected up to an incredible 50 million Windows based PCs worldwide!

To this day (April, 2008) the Storm Worm is still in the wild and invading computers around the world. Its success is largely due to the criminals behind it all. Storm represents one of the larger schemes designed to make money, and it has become clear that there is a lot of money involved, because the rapid release of updates and new modules would require an impressive amount of resources. Storm is the poster boy for a new era of internet malware and crime, and quite possibly terrorism.

This paper will discuss and disseminate how the Storm Worm works and the latest ways in which to mitigate it.

III. Naming Conventions

Just like any other malware the Storm Worm has many names associated with it due to various security and AV companies defining their own signature recognition of the software.

The Storm Worm is not to be confused with the 2001 outbreak of W32/Storm.Worm; which was a largely ineffective worm.

Below is a list of known associated names with the Storm Worm, and their parent companies:

· Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)

· CME-711 (MITRE)

· W32/Nuwar@MM and Downloader-BAI (McAfee)

· Troj/Dorf and Mal/Dorf (Sophos)

· Trojan.Downloader-647

· Trojan.Peacomm (Symantec)

· TROJ_SMALL.EDW (Trend Micro)

· Win32/Nuwar (ESET)

· Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)

· W32/Zhelatin (F-Secure and Kaspersky)

· Trojan.Peed, Trojan.Tibs (BitDefender)

To confuse matters more, the Storm Worm also uses sudo polymorphic techniques to alter itself and masquerade as an entirely new variant of malware, and therefore AV companies detect and tag the new variants with a different name.

IV. Infection

Probably the most prevalent of all of Storm Worm’s features is the way it can distribute its self across the internet. First and foremost the Storm Worm is a spambot, capable of sending out emails in bursts that exceed 1,800 in a 5 minute period. ^[3]

It sends specially crafted emails, known as a social engineering attack, to entice the victim to either visit a fake website or directly download an infected file embedded in the email. The variation of Storm being researched in this paper came as a URL link in a spam email wanting you to download a ‘Happy New Year!’ ecard, but hidden along side it was an infected file called applet.exe.

But in order for this technique to be truly effective, the fake websites and the location of the infected files need to have a high availability and resistance to being shutdown, otherwise the URL link in the email could be dead by the time a user reads it and clicks it. It can’t be an IP address based URL because is a single point of failure; the IP of the computer hosting the malware could become overwhelmed or shutdown by the authorities. So the attacker must find a way to create a completely distributed and ever-changing network, enter Fast-Flux.

 

A. Fast-Flux

Fast-Flux is a growing, sophisticated technique which is being increasingly used in the wild. Fast-flux service networks are a network of compromised PCs with DNS records that are constantly changing, in some cases every few minutes. These constantly changing records make it much more difficult to track down the criminal and shut down their operations.

The goal of fast-flux is for a fully qualified domain name (such as www.example.com) to have hundreds or even thousands of IP addresses assigned to it. These IP addresses fluctuate in and out with extreme frequency using a combination of round-robin and a very short Time-To-Live (TTL) for any IP. Website hostnames may be associated with a new set of IP addresses as often as every few minutes. A browser connecting to the same website every few minutes would actually be connecting to a different infected computer each time.

Fast-Flux is a perfectly normal DNS technique that any DNS provider can implement, but criminals tend to use certain Russian DNS providers with this technique because they are very slow to respond to illegal use of their services.

*WARNING* The domain name www.supersameas.com is still live as of April 13^th 2008. Browsing to this site may get you infected with Storm!

Not only does Storm use this technique, but it takes it a step further –

Figure 1 - Double-Flux in use in the Storm network.

Known as Double-Flux, Storm uses a completely decentralised DNS network service. The above diagram details how Double-Flux works with a live Storm domain name:

Step 1 – When the http address is entered into the browser your PC will first initiate a DNS query to find out where the domain is physically located. To do this your PC will ask your local ISPs’ DNS server (Omitted from the diagram), which will forward you on to the Name Server (NS) of that domain. This is where Double-Flux comes in; Not only is the A record fast-fluxed, but so too is the NS record:

ns3.supersameas.com 84267 209.136.140.189

ns4.supersameas.com 84267 66.190.211.71

ns1.supersameas.com 84267 75.62.247.33

ns2.supersameas.com 84267 75.82.24.44

The above output shows these NS records have a TTL of 84267, which approximates to 24 hours. So every 24 hours the IP of these NS records will change to another infected computer, providing yet another layer of redundancy and security to the worm.

 

Also if you do a reverse DNS lookup on those NS IPs you’ll see that they are in fact infected computers sitting on ADSL connections in consumer ISPs:

Name: texas-adsl-1205.camtel.net

Address: 209.136.140.189

 

Name: 66-190-211-71.dhcp.slid.la.charter.com

Address: 66.190.211.71

 

can’t find 75.62.247.33: Non-existent domain

 

Name: cpe-75-82-24-44.socal.res.rr.com

Address: 75.82.24.44

Notice that at least one of the NS records is no longer valid, meaning the compromised PC is down. In 24 hours time a new set of compromised PCs will enter rotation for the NS records, and the down node above will be replaced.

Step 2 – Once one of the name servers receives the query it will respond with an A record; the IP address of the web server you are attempting to browse to. The A record is the second part of the Double-Flux DNS service, and on the Storm DNS network the A record updates every second. Every time you browse to that domain, you will be browsing to a different IP address. There could quite possibly be hundreds of thousands of compromised PCs serving that one website, providing an incredibly formidable redundant service.

Step 3 – The PC now has the location of the web server and can initiate a HTTP GET to grab the webpage and download the content. This is got from any one of thousands of slave PCs.

 

B. Rootkit hook

Once the infected file is successfully downloaded to the machine, Storm initialises a whole plethora of instructions to compromise even a security hardened computer.

One of the first things Storm does after decrypting and unpacking itself is crash any active AV emulation engine process by calling the function FreeIconList; a legacy windows function and thus often not emulated by the AV engine.

While the AV engine is down Storm then runs a routine that disables Windows File Protection on the kbdclass.sys driver (and its cached copy) and loads the rootkit driver spooldr.sys into it.

After that Storm creates two files. One is a copy of applet.exe placed into %systemroot% and the other is a copy of spooldr.sys renamed to spooldr.exe and also placed into %systemroot%.

Storm then runs a system command to allow spooldr.exe through the Windows firewall:

netsh firewall set allowed program “%systemroot%\spooldr.exe” enable

 

C. Hooking the P2P client

Probably the most important module Storm loads is the P2P module, wincom32.sys. This driver injects a hidden executable into the user space of the SERVICES.EXE process. The injected file is responsible for connecting to the Storm network cloud and all P2P communications.^[4]

 

D. Hiding thy self

The last step in Storms infection process is to hide itself from view. The Storm rootkit module uses a Service Descriptor Table (SDT) hooking to hide files and registry keys, and hijacks IRP_MJ_DEVICE_CONTROL of ‘\Device\Tcp’ to hide active connections of SERVICES.EXE.^[4]

This means that Storm has become virtually invisible; there are no traces of it in the registry, no new processes seen running in task manager and all network connections made by it on behalf of the SERVICES.EXE process are also hidden.

 

E. Terminating the Anti-Virus

One of the alarming things Storm can do is completely disable almost any AV solution on the host PC. As discussed earlier on, Storm first crashes the AV application in order to patch a critical Windows driver. Next time Windows begins to boot it loads the infected kbdclass.sys driver, which then immediately spawns the Storm rootkit, spooldr.exe. Every driver and program loaded after kbdclass.sys is under control of the Storm rootkit. Storm simply checks every driver and program being loaded, and if it is one that is listed on its blacklist, then it is terminated.

A complete list of blacklisted programs the variation of Storm this paper dissects:

· Zonealarm Firewall

· Jetico Personal Firewall

· Outpost Firewall

· McAfee Personal Firewall

· McAfee AntiSpyware

· McAfee Antivirus

· F-Secure Blacklight

· F-Secure Anti-Virus

· AVZ Antivirus

· Kaspersky Antivirus

· Symantec Norton Antivirus

· Symantec Norton Internet Security

· Bitdefender Antivirus

· Norman Antivirus

· Microsoft AntiSpyware

· Sophos Antivirus

· Antivir

· NOD32 Antivirus

· Panda Antivirus

On October 22^nd 2007 Richard Cohen, a SophosLabs researcher stumbled upon a new technique found in a newer version of Storm that now simply “fools” the local computer system to run certain programs successfully, but in fact, they are not doing anything –

“Programs, including not just AV exes, dlls and sys files, but also software such as the P2P applications BearShare and eDonkey, will appear to run successfully, even though they didn’t actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside,”.^[5] Users and any related security systems will assume that security software is running successfully when it in fact is not. This allows the Storm worm to sneak into safe networks, even ones considered to be security hardened with applications like Network Access Control (NAC).

 

F. Lockdown

The last thing Storm does is lock two specific files; ntoskrnl.exe and the infected kbdclass.sys driver. This is most likely another method to hide itself by locking out access to those files to user mode applications like HiJackThis; a popular application that scans for suspicious changes to critical files.

V. Distribution

Contrary to popular believe, the spam sending process is not automated. The creator of the worm controls the botnet through the use of an encrypted P2P (Peer-to-Peer) network cloud that every infected PC listens to (more on this later). Through this P2P botnet, the creator can issue commands to his army and they will follow it through.

A. Spam

On Janaury 19^th 2007 ^[6] a mass spam email began hitting inboxes around the world in what is believed to be Storms’ first attack. It was also this event that gave Storm its name. The massive European windstorm Kyrill was the topic that the Storm used to entice people to open the email, with a subject line of:

230 dead as storm batters Europe!

“The spamming started when the storms were still raging.” – Mikko Hypponen, chief research officer at security firm F-Secure.^[6]

While this first wave of infection isn’t anything extraordinary, the fact that it was spread using front page news only mere hours after it had happened shows just how organised the criminals behind this form of malware are.

February 14^th 2007 marks the second wave of Storm spam emails preying on the romantics by offering a flash-based valentine eCard – postcard.exe.

Figure 2 – Screenshot of Valentine’s Day spam wave (Janaury 31^st 2007)

Since then there have been approximately 30 waves of spam covering a whole plethora of subjects from NFL, ‘hot videos’, Christmas cards, new years and ‘internal memos’ to the latest being an April Fools (April 1^st, 2008) email with the following image:

Figure 3 - Screenshot of Storm email spam (April 1st 2008)

 

This distribution method can be considered one of the worst, as it preys on unsuspecting and unknowing internet users. This kind of exploit is unlikely to ever be patched up.

 

Adam Swidler, a senior manager with security company Postini, said that since mid-July 2007, he has recorded 1.2 billion e-mails that have been sent out by the botnet. A record was set on August 22^nd 2007 when 57 million virus-infected messages, 99% of them from the Storm worm, were tracked crossing the Internet. ^[7]

 

VI. Peer-To-Peer Network

Traditional botnets were usually constructed with use of an IRC (Internet Relay Chat) client and server system whereby all the infected PCs would connect to a, usually public, IRC server and join a chat room within. From there they would just sit and wait. The creator of the botnet would come in, submit a password to gain controller privileges and then proceed to command the bot army how he liked. While this is a very popular way of controlling a large number bots, it has some major drawbacks:

· It is a centralized system. Very easy to shut down all operations by simply turning off the IRC server.

· Due to the fact that the location and password of the server and chat room was hard coded into each bot, it was not overly difficult to effectively take over and dismantle a botnet.

These are actually the very same drawbacks the pirating industry faced quite a few years ago, and they came up with a solution – P2P networking – The idea of removing the centralised server and recreating all the clients as equals. Certain members of the P2P network cloud would be relegated to being a Super-Node; Chosen for their high bandwidth internet connection and used to distribute and manage an index of files available from other nodes in the network. If a Super-node failed then another would take its place. But redundancy isn’t the only benefit of P2P networking. It also provides a great layer of security – No one node knows about every other node.

This is the kind of network the criminal organisation behind Storm employs to control the operations of the worm.

VII. Honeypot Death

A honeypot is a PC setup specifically to sit on the internet and get infected. It is used as an early warning device or to capture malware mere minutes after being released into the wild. This allows AV vendors to analyse the malware and create patterns and mitigation techniques in an attempt to protect end-users before it hits them.

Most honeypots these days are simply virtual PCs running under VMware or Microsoft Virtual PC (The most popular VPC software at the moment), this allows analysts to observe the malware in a safe and controllable environment. Anti-malware analysts can run unknown code on these virtual machines and watch how they behave. They can ‘freeze’ the virtual PC and dissect it, and they can destroy the machine afterwards with little risk of harming the real environment around the VPC. Unfortunately both Virtual PC and VMware leave small footprints in the memory and the Storm worm has a mechanism to detect that.

If you try to infect a VPC with Storm you’ll find that nothing happens. That is because Storm realised the environment it was in and put itself to sleep, to mislead and avoid detection.

Storm makes uses of two fairly common routines to achieve this – The ‘ComChannel VMXh magic’ trick to detect VMware emulation and the ‘illegal Opcode exception’ trick to detect Microsoft Virtual PC emulation.^[8] How the tricks work is not within the scope of this paper, but both of these routines are discussed in depth with examples in Peter Ferrie’s paper on Virtual Machine Attacks v2.^[9]

 

VIII. Self Defence

Taking one step closer to being a virus from right out of the movies the Storm worm now has automatic self defence capabilities.^[10]

Researchers around the world have found themselves being DDoS’ed for up to a day in retaliation for attempting to scan Storm infected PCs with security vulnerability scanners.

“During the past month we’ve observed and notified involved parties regarding numerous such Storm-related DDoS attacks. The attacks have been ICMP, can last more than a day, involve a large number of sources scattered globally, and can yield very significant attack traffic. “– Douglas D Pearson, Aug 2007.^[10]

At the moment it is not known exactly how much probing triggers the DDoS attack.

Zhelatin, the spammer gang believed to be behind the Storm worm, have been accused of causing most of the DDoS attacks performed on popular anti-spam websites such as www.spamnation.info and www.419eater.com.^[11]

Though the owners of the websites believe it is not the alleged Zhelatin them selves who order the attack, but spammer gangs that pay the group to do the DDoS on behalf of them.

IX. Mitigation and Removal

Since the storm worm doesn’t rely on any exploits to compromise systems, it is very difficult to avoid being effected. It instead preys on a lesser known exploit called human curiosity (and possibly stupidity) by masquerading as completely innocent looking files and using hot topics or news to appeal to people and infect the PC the second it is downloaded.

So how could you possibly mitigate it? You can’t, not fully. In September 2007, Microsoft released a MSRT (Malicious Software Removal Tool), downloaded through Windows Update every second Tuesday, to detect and remove the Storm worm. While Microsoft was able to clean a large amount of PCs, shortly after the event the Storm authors updated the storm worm to avoid detection. And so the MSRT update became redundant. It is the same with every flavour of AV solution – They update their detection signatures and Storm changes its code. And unfortunately, even if the worm was cleaned from a user’s PC it’ll most likely be back, because people with a habit of doing something are likely to repeat whatever they did.

Therein lies the problem – There will always be someone out there on the internet who doesn’t know a legit email from a bad email, or a fake website from a real one, or just doesn’t care. And while AV solutions can protect you from a majority of the malware in the wild, they can never keep up with the constantly changing and polymorphing zero-day malware like Storm. If the user is a largely inexperienced one, they’ll inevitably be infected; it’s only a matter of time before they download some malware that their flavour of AV has yet to come across (and therefore protect against).

So since infection may well be inevitable for most, it’d be prudent to discuss how the Storm worm can be removed. But it’s actually less about removing it and more about how you can detect it in the first place, or if you’ve detected it, how can you know what version you have in order to remove it? The only footprint the Storm worm leaves is the sluggish internet connection when it is using it to send out copious amounts of spam or attacking someone with DDoS. But there are a thousand reasons why an internet connection could be slow on some days, so it’s not definitive evidence. The only reliable way to trace a Storm infected PC is to watch its outbound connections from a remote device (remember that Storm hides its own connections on the local computer) for suspicious activity.

Once you know for sure a PC is infected, you may try to remove it manually. But the steps involved would be complex and would change as often as Storm does. It is not recommended to attempt to remove it manually. The only fool-proof way to remove Storm is to format the PC – destroy all the data. It may sound harsh, but once the Storm worm gets into a Windows machine, it gets in deep. Luckily Storm does not infect many files on the system (yet) and it is subsequently safe to backup personal data and erase all data on the PC.

X. Conclusions

It should be made clear that while Storm does use some very advanced methodologies, it all really comes down to the end-user not taking to correct precautions before downloading or browsing to an unknown email or website. These spammer groups know this; they know that users will go as far as to turn off anti-virus applications just to view a restricted and dangerous resource. They use this knowledge to exploit the curiosity of these users and they will gain control of the PC.

It has recently become easier to ignore the warnings, due to malware authors putting more effort into making sure it does not disrupt the end-user. Once Storm has compromised a PC, it does not destroy it. In fact it goes to some lengths to hide itself from any prying eyes and make sure the user cannot notice any difference. This effect is a double edged sword; it of course reduces the chance of removal if it is undetected, but by not disrupting the user experience there’s a good chance the user won’t bother trying to remove it even if it was detected. It is because of this, that Storm is so successful, and it’s not going to stop there. Storm has now become the poster boy for a new era of malware. Users need to realize that in the wrong hands, their own home PCs can be part of a large scale terrorist attack against any number of companies such as banks or even countries.

The latest rumor is that the Storm Worm botnet is being segmented up into smaller clusters to be auctioned off. We’re lucky the group behind Storm is only in it for the money, but it’s only a matter of time before someone with a dangerous prerogative will use this vast network for something truly illicit.

Maybe it’s time to instigate an Internet Driving License?

 

Acknowledgment

I’d like to acknowledge the community at www.spamtrackers.eu for their truly extensive timeline and documentation of the Storm Worm. Without them it’d be a lot more painful to find any information on the malware afflicting the internet at large.

References

[1] Gutmann, Peter., Insecure.org. [Online] http://seclists.org/fulldisclosure/2007/Aug/0520.html.

[2] F-Secure., F-Secure Malware Information. [Online] [Cited: 3 27, 2008.] http://www.f-secure.com/v-descs/small_dam.shtml.

[3] Information Week., Information Week. [Online] [Cited: 04 02, 2008.] http://www.informationweek.com/news/showArticle.jhtml?articleID=196902579.

[4] Ciubotariu, Elia Florio & Mircea., “Peerbot – Catch Me If You Can.” Symantec. [Online] [Cited: 04 08, 2008.] http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf.

[5] Vaas, Lisa., Storm Worm Botnet Lobotomizing Anti-Virus Programs. eWeek. [Online] [Cited: 4 14, 2008.] http://www.eweek.com/c/a/Security/Storm-Worm-Botnet-Lobotomizing-AntiVirus-Programs/1/.

[6] BBC NEWS., “Storm chaos prompts virus surge.” BBC NEWS | Technology. [Online] [Cited: 04 10, 2008.] http://news.bbc.co.uk/1/hi/technology/6278079.stm.

[7] Gaudin, Sharon., Storm Worm Botnet More Powerful Than Top Supercomputers . InformationWeek. [Online] [Cited: 4 14, 2008.] http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804528.

[8] Boldewin, Frank., “Peacomm.C – Cracking the nutshell.” Reconstructer.org. [Online] [Cited: 4 15, 2008.] www.reconstructer.org.

[9] Ferrie, Peter., “Attacks on Virtual Machines v2.” Attacks on Virtual Machines v2. [Online] [Cited: 4 15, 2008.] http://pferrie.tripod.com/papers/attacks2.pdf.

[10] Pearson, Douglas D., [unisog] [REN-ISAC] Storm Worm DDoS Threat to the EDU Sector. Sans.org. [Online] [Cited: 04 13, 2008.] http://lists.sans.org/pipermail/unisog/2007-August/027405.html.

[11] Spam Nation., 419Eater DDoS’d? Spam Nation. [Online] [Cited: 4 13, 2008.] http://www.spamnation.info/blog/archives/2007/09/419eater_ddosd.html.