US-CERT Sounds 'Storm Worm' Alarm, But is it Really a Storm?
Yesterday, the US-CERT bureau of the Dept. of Homeland Security renewed its warning about the outbreak of "Storm Worm" variants, this time acknowledging what it calls public reports of its renewed spread. Anti-virus companies familiar with these "outbreaks" know there have been a multitude of e-mail worms, each of which is delivered using a different hype-inducing or fun-filled headline.
But these worms typically deposit the same clandestine P2P service in the background of Windows, called wincom32.sys. It's surprisingly easy to detect, and can be found manually through a check of services entries in the Windows System Registry, such as HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wincom32.
Though that name sounds like something Microsoft might have installed, it isn't. Under the guise of a system service, it creates an internal, weakly encrypted list of "peers." Since the worm's payload is delivered through e-mails and not this P2P channel, it's never been determined what the stealth network's purpose might actually be, or become.
The reports US-CERT may be referring to come from security software company F-Secure, though this time its latest report is surprisingly tame and conservative.
Rather than blast the storm sirens, the company released a simple notice that a new variant dubbed W32/Zhelatin.CQ now offers its downloadable payload through e-mails disguised as breaking news messages, with headlines like "USA Declares War on Iran" and "USA Missile Strike: Iran War just have started" [sic].
A check of Sophos' threats database this morning doesn't show any of its Nuwar or Dref variants are on the radar right now, and that its most prevalent e-mail malware at present - Troj/Mailbot.CG, which works very similarly to the "Storm" variants but deposits a different stealth service - is still rated "Low."
So with vigilance perhaps higher than at any time in history, are the warnings from US-CERT still warranted? Isn't the number of users who could possibly be impacted by such obvious Trojan packages lessening?
Probably, though security blogger Dancho Danchev advanced a new theory that many engineers have never before considered: Perhaps the worms' authors are relying on expanding public awareness of Trojans to help narrow their target audience for them, if you will, to the dwindling number of e-mail users who still haven't heard the news.
In comparing this August outbreak to the one last January, Danchev asked, "What has changed? Direct .exe email attachments matured into a direct link to an infected IP address. Mass mailings are now sent with campaign ID to measure efficiency. Outdated social engineering tactics became a direct exploitation of old and already patched vulnerabilities to ensure a higher probability of infecting the visitor whose lack of understanding on how client side vulnerabilities should get a higher priority compared to visual .exe vigilance, often results in an infection."