Storm Worm Botnet Lobotomizing

By Lisa Vaas  |  Posted 2007-10-24 Print this article Print

Anti-Virus Programs"> NEW YORK—The ever-mutating, ever-stealthy Storm worm botnet is adding yet another trick to its vast repertoire: Instead of killing anti-virus products on target systems, its now doing a hot fix with a memory patch to render them brain-dead. The finding was made by Sophos and was mentioned by Joshua Corman, a principal security strategist for IBM Internet Security Systems, Oct. 23 in his presentation here at Interop on the challenge of evolving cyber-threats. According to an Oct. 22 posting by Sophos analyst Richard Cohen, the Storm botnet—Sophos calls it Dorf, and its also known as Ecard malware—is dropping files that call a routine that gets Windows to tell it every time a new process is started. The malware checks the process file name against an internal list and kills the ones that match—sometimes. But Storm has taken a new twist: It now would rather leave processes running and just patch entry points of loading processes that might pose a threat to it. Then, when processes such as anti-virus programs run, they simply return a value of 0.
"Programs, including not just AV exes, dlls and sys files, but also software such as the P2P applications BearShare and eDonkey, will appear to run successfully, even though they didnt actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside," Cohen wrote in the posting.
The strategy means that users wont be alarmed by their anti-virus software not running. Even more ominously, the technique is designed to fool NAC (network access control) systems, which bar insecure clients from registering on a network by checking to see whether a client is running anti-virus software and whether its patched. "Its running but brain-dead. Its worse than shutting it off," as it opens the door for Storm bots to waltz past even networks considered to be hardened with NAC, Corman said during his Interop presentation. Its the latest evidence of why Storm is "the scariest and most substantial threat" security researchers have ever seen, he said. Storm is patient, its resilient, its adaptive in that it can defeat anti-virus products in multiple ways (programmatically, it changes its signature every 30 minutes), its invisible because it comes with a rootkit built in and hides at the kernel level, and its clever enough to change every few weeks. It has its own mythology: Composed of up to 50 million zombie PCs, it has as much power as a supercomputer, the stories go, with the brute strength to crack Department of Defense encryption schemes. Click here to read more about how the Storm worm botnet is being segmented into networks of zombie PCs. In reality, security researchers in the know peg the size of the peer-to-peer botnet at 6 million to 15 million PCs, and not on par with a supercomputer. And it cant break encryption keys. Still, it has security researchers terrified, Corman said. "[Storm is] the scariest and most substantial threat weve ever seen," he said. "Theres a lot of exaggerations of how many systems are infected … [and how its power is like that of a supercomputer]. Thats fiction. Its still a lot of power, though. … Some of my best and highest-profile clients are very concerned about Storm right now." Page 2: Storm Worm Botnet Lobotomizing Anti-Virus Programs

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel