Software

Storm worm returns


Storm worm returns A new variant of the “Storm worm” that reeked havoc across the Internet in January has shown up again. Johannes Ullrich of the SANS Institute said "This is potentially a huge problem, It's basically impossible to shut this thing down.... And once a user is infected, it's very hard to get rid of it. They would probably have to reinstall their system."

The Storm virus is in essence a very simple worm that delivers a malicious payload. The Worm is spread via email with two attachments, an encrypted zip file and an image. The image is the password required to un-zip the malicious payload which claims to be a patch for a new vulnerability. As the payload is hidden inside an encrypted archive, it is very difficult for anti-virus software to detect it and block the email. I would however expect most anti-virus packages to block access to the files on-the-fly using their on-access scanner. Once a user is infected the computer joins a p2p network allowing files to be easily transferred to other hosts. As would be expected the machine also becomes a botnet zombie allowing full remote control of the machine. The worm spreads by emailing itself to all addresses in the victims address book.

The worrying thing about the success of this most recent outbreak is that it depends wholly on user stupidity; running an executable file unexpectedly received via email. Postini handle around 2 billion emails per day of which one million are usually viruses. On the 12th when this outbreak took place Postini reported seeing 7.7 million viruses, 7 million of which were the Storm worm. When will people learn!

2 comments
BALTHOR
BALTHOR

I think that virus scanners look at the header file for the virus name.The virus scanning program needs to have the name of the virus to delete the virus.Somebody has to 'discover' the virus,decrypt it,render it harmless then it becomes a virus definition."Variant" means that they got a different monkey to pound on the keyboard.

syst3m.admin1strator
syst3m.admin1strator

its a hard one when it comes to viruses spread via email, there are many precautions that you could take such as filtering by domain, dropping any emails which have compressed attachments etc.. but you cant always do this, depending on your business. i beleive three phase scanning should be done: on a perimeter/frontend firewall, on the actual email server, and a third time by the users workstation. one of the most important things i think should be done is to inform users of the potential impact a virus can have on a business, so rather then opening every email addressed to them they might actually take note and report spam or suspect emails. but like i said before you cant always do everything, you need to taylor to the businesses needs.

Editor's Picks