NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0279 Storm Worm Shifts Tactics Again to Phony "Applet" emails:
Authors of the Storm Worm malware have shifted their tactics to a flood of email hoaxes that try to install a bogus "applet" that installs a backdoor on the user's machine. The new emails have subject lines such as "User info," "Membership support" and "Login Information," so victims can redeem membership benefits to clubs related to music, online dating and other interests. The binary applet reportedly morphs about every 30 minutes, making it particularly hard for antivirus programs to identify as malware. On 21AUG, only 14 of 32 antivirus programs detected a version of the applet that was downloaded by Johannes Ullrich of the SANS Internal Storm Center. "A lot of commonly used antivirus tools don't detect" Storm, Ulrich said. "The traditional signature approach that some of the antivirus vendors use really isn't all that useful anymore."
Like other Storm-related malware, "applet.exe" excels at cloaking itself from security researchers. The program actively monitors its host machine for VMware and will refuse to execute correctly if the virtualization software is detected. It also wraps itself in a packing container that makes it difficult to prevent outsiders from peering into the inner workings of the binary. "You have to run it on a full physical system and that, of course, isn't as easy as running it in VMware," Ullrich said. Those who scan the ports of machines infected by Storm, or who repeatedly download the Trojan have reportedly been subejcted to DDoS attacks that have lasted for days.
(www.theregister.co.uk, 21AUG07)
Last Modified: Saturday, 01-Sep-2007 10:13:38 EDT