I spent a good portion of my day watching the Storm worm mutate from EXEs being spammed through to ZIP files in password protected bodies. This is a change in tactics for the Storm Worm team and has proven to be effective at evading AV. The Storm Worm is malware designed to install spammer toolkits.
Throughout the past day, the Storm Team has been flooding the world with their spams. The attachment is the bootstrap code for the malware, and downloads and installs a few components. The emails that were going out starting in the late morning, early afternoon on the east coast look similar to the one below. Note that the text in the message is actually a GIF attachment.
There was some confusion throughout the day because these new payloads and tactics were being used, AV wasn’t catching it, and vendors have a dozen names for this threat. That said, once we started to analyze it, sure enough it was the Storm Worm, our old friend. Note that we saw Storm this past weekend in “Iran-US War” messages as its hook. This is a new change for the team, moving beyond news events and into the typical tactics used by Bagle and Mydoom. This rootkit analysis report from a third party tool shows us how it hides itself on the machine with a kernel driver (the .sys file) and registry entries.
AV detection has been improving all day, as we shared samples throughout the community (and info, as well). If you need to block patterns of messages for this, try blocking messages containing the following:
- a GIF attachment as attachment 1
- A password protected ZIP as attachment 2
That combination has been seeded heavily in the past 12-18 hours. A friend from an email security company says that they’re seeing more hits for this variant than previous variants.
Updated April 13
Links around the net:
- sandbox analysis in the Anubis system
- Storm Worm blows up, breaks records, at InfoWorld.
- Consumer alert: Massive virus outbreak, from PCWorld
- Malicious worm detected! No, really!, from the Trend Micro blog.
- Nurech.Z from the PandaLabs blog