Storm Worm Botnet Lobotomizing Anti-Virus Programs

Discussion in 'Computer Security' started by Virus Guy, Oct 27, 2007.

  1. Virus Guy

    Virus Guy Guest

    How many AV programs generate random names for their processes to
    avoid this process-detection and process-neutralization activity?


    Storm Worm Botnet Lobotomizing Anti-Virus Programs
    By Lisa Vaas
    October 24, 2007

    A new technique leaves anti-virus products running but brain-dead; an
    expert says we haven't come close to witnessing Storm's true power.

    NEW YORK—The ever-mutating, ever-stealthy Storm worm botnet is adding
    yet another trick to its vast repertoire: Instead of killing
    anti-virus products on target systems, it's now doing a hot fix with a
    memory patch to render them brain-dead.

    The finding was made by Sophos and was mentioned by Joshua Corman, a
    principal security strategist for IBM Internet Security Systems, Oct.
    23 in his presentation here at Interop on the challenge of evolving

    According to an Oct. 22 posting by Sophos analyst Richard Cohen
    ( the Storm
    botnet—Sophos calls it Dorf, and it's also known as Ecard malware—is
    dropping files that call a routine that gets Windows to tell it every
    time a new process is started. The malware checks the process file
    name against an internal list and kills the ones that match—sometimes.
    But Storm has taken a new twist: It now would rather leave processes
    running and just patch entry points of loading processes that might
    pose a threat to it. Then, when processes such as anti-virus programs
    run, they simply return a value of 0.

    "Programs, including not just AV exes, dlls and sys files, but also
    software such as the P2P applications BearShare and eDonkey, will
    appear to run successfully, even though they didn't actually do
    anything, which is far less suspicious than a process that gets
    terminated suddenly from the outside," Cohen wrote in the posting.

    The strategy means that users won't be alarmed by their anti-virus
    software not running. Even more ominously, the technique is designed
    to fool NAC (network access control) systems, which bar insecure
    clients from registering on a network by checking to see whether a
    client is running anti-virus software and whether it's patched.

    "It's running but brain-dead. It's worse than shutting it off," as it
    opens the door for Storm bots to waltz past even networks considered
    to be hardened with NAC, Corman said during his Interop presentation.

    It's the latest evidence of why Storm is "the scariest and most
    substantial threat" security researchers have ever seen, he said.
    Storm is patient, it's resilient, it's adaptive in that it can defeat
    anti-virus products in multiple ways (programmatically, it changes its
    signature every 30 minutes), it's invisible because it comes with a
    rootkit built in and hides at the kernel level, and it's clever enough
    to change every few weeks.

    It has its own mythology: Composed of up to 50 million zombie PCs, it
    has as much power as a supercomputer, the stories go, with the brute
    strength to crack Department of Defense encryption schemes.

    Click here to read more about how the Storm worm botnet is being
    segmented into networks of zombie PCs:,1895,2199034,00.asp

    In reality, security researchers in the know peg the size of the
    peer-to-peer botnet at 6 million to 15 million PCs, and not on par
    with a supercomputer. And it can't break encryption keys. Still, it
    has security researchers terrified, Corman said.

    "[Storm is] the scariest and most substantial threat we've ever seen,"
    he said. "There's a lot of exaggerations of how many systems are
    infected … [and how its power is like that of a supercomputer]. That's
    fiction. It's still a lot of power, though. … Some of my best and
    highest-profile clients are very concerned about Storm right now."

    Storm's mystique comes in part from one of the most challenging
    aspects to dealing with the botnet: its rabid self-defense mechanisms.

    "If you try to attach a debugger, or query sites it's reporting into,
    it knows and punishes you instantaneously," he said. "[Over at]
    SecureWorks, a chunk of it DDoS-ed [directed a
    distributed-denial-of-service attack] a researcher off the network.
    Every time I hear of an investigator trying to investigate, they're
    automatically punished. It knows it's being investigated, and it
    punishes them. It fights back."

    Those researchers who have devised ways to accurately research the
    scope, techniques and technologies of the botnet are hushed up by
    their superiors who are well-aware of the retribution that botnet
    herders have already wrought on those who tried to defeat them, Corman

    Hence the hush-hush nature of research around Storm. Corman said he
    can tell us that it's now accurately pegged at 6 million, but he can't
    tell us who came up with the figure, or how. Besides retribution,
    Storm's ability to morph means that those who know how to watch it are
    jealously guarding their techniques. "None of the researchers wanted
    me to say anything about it," Corman said. "They're afraid of
    retaliation. They fear that if we disclose their unique means of
    finding information on Storm," the botnet herder will change tactics
    yet again and the window into Storm will slam shut.

    What really has his clients worried, though, is what Storm hasn't yet
    done, Corman said, with the exception of small hits such as that
    against SecureWorks or other researchers—ransom sites with DDoS.

    There's precedent for such a scenario, and the results haven't been
    cheering. When it comes to the war of good guys (security researchers)
    versus bad guys (botnet herders), botnets have won, hands down.

    Corman referenced the case of Blue Security, an Israeli-based startup
    whose aggressive anti-spam measures in May 2006 drew a counterattack
    from spammers that was so vicious, it forced the company out of

    "Somebody wrote a [botnet], and Blue Security did a really good job of
    fighting," Corman said. "So [the attackers] did a DDoS and took it off
    the Net for awhile. Blue Security went to the best anti-DDoS
    technology on earth. The next onslaught came and [Blue Security's
    defenses] worked. So the botnet herder stole two other people's
    botnets. With three
    botnets, [the attack] worked, to the point where the ISP said, 'I'm
    not going to let you take down my entire ISP to protect you, you're on
    own.' And Blue Security is now out of business."

    A particularly disturbing point to keep in mind, Corman said: Botnets
    in May 2006 were very, very small, compared with Storm.
    Virus Guy, Oct 27, 2007
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Au79

    Botnet Herders Attack MS06-040 Worm Hole

    Au79, Aug 14, 2006, in forum: Computer Support
  2. Gregory

    The BotBrigade Proposal, Botnet Versus Botnet

    Gregory, Nov 10, 2007, in forum: Computer Security
    Nov 12, 2007
  3. Jonathan Walker

    Storm worm botnet more powerful than top supercomputers

    Jonathan Walker, Sep 8, 2007, in forum: NZ Computing
    Ralph Fox
    Sep 8, 2007
  4. Beauregard T. Shagnasty

    Re: Attn: Mike Easter. Worm breeds botnet from home routers, modems

    Beauregard T. Shagnasty, Nov 4, 2010, in forum: Computer Support
    Beauregard T. Shagnasty
    Nov 5, 2010
  5. Bucky Breeder
    Bucky Breeder
    Nov 4, 2010