Worm Alert: Storm Worm Take 2? Massive attacks is this the same worm from 2001? ~ Ask The Admin

Wednesday, July 25, 2007

Worm Alert: Storm Worm Take 2? Massive attacks is this the same worm from 2001?


We first saw the Storm Worm back in 2001 and here is Symantecs description on it:


W32.Storm.Worm
Risk Level 1: Very Low
Discovered: June 6, 2001
Updated: February 13, 2007 11:46:08 AM
Also Known As: DoS.Storm.Worm
Type: Worm
SUMMARY

W32.Storm.Worm is a worm that seeks out Microsoft Internet Information Services (IIS) systems that have not applied the proper security patches. Any such systems that it finds are then infected with the worm. The payload of this worm performs a denial-of-service attack on http:/ /www.microsoft.com


Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Medium

Distribution

* Distribution Level: Medium

TECHNICAL DETAILS

When this worm is run, it sets up a server FTP thread and starts to scan 10,000,000 IP addresses in an attempt to find a vulnerable system at one of the targeted addresses. The vulnerable systems that it targets are Microsoft IIS installations (versions 4 and 5) that do not have the security patches installed to cover the "Web Server Folder Traversal" security vulnerability as described in http://www.microsoft.com/technet/security/bulletin/MS00-078.asp.

When the worm finds a vulnerable system, it copies itself to the targeted system and sets it up to automatically run the worm, effectively making that system a zombie that participates in the hacker's e-war. To make sure that the worm is run during the next system startup, the worm adds the value

666 c:\winnt\system32\storm\start.bat

to the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run

This worm has two payloads:

* A denial-of-service attack is initiated against http:/ /www.microsoft.com.
* An email bombing session is started that sends email messages containing an obscene message to gates@microsoft.com.


But now according to security analysts:

We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level."

And they are calling it the Storm Worm - is this the same worm?

Excerpts From Information Week:

The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. This helps pull the computers into the malware authors' growing botnet, while also leaving them open for further infection at a later date.

"This is designed to add computers to the botnet," said Swidler. "That's first and foremost their goal."

But the Storm worm authors aren't contenting themselves with this one attack vector.

Just a few weeks ago, the Storm worm authors began trying to trick users with fraudulent e-mails warning unsuspecting users about virus or spyware infections. Users around the world were receiving spam messages claiming that viruses or spyware had been detected on the users' systems. It was another attempt to lure users to malicious sites where their computers could be infected.

What do you guys think? Have you been seeing an increase in viruses flying around your mail servers? How about Ecards or Links to downloadable files? Hit us up in the comments. Or let us know if you need help!