NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0330 Storm Worm Tactic Lobotomizes AV Programs:
Instead of killing anti-virus (AV) products on targeted systems, Storm Worm is
now doing a hot fix with a memory patch that renders them ineffective, according
to industry experts cited in a press report. This finding was made by Sophos and
was discussed by Joshua Corman, a principal security strategist for IBM Internet
Security Systems, in his 23 October presentation at the Interop New York 2007 IT
conference. Accoording to Sophos anlyst Richard Cohen, the Storm botnet is dropping
files that call a routine that gets Windows to tell it every time a new process is
started. The malware checks the process name against an internal list and kills
some of them, including in previous variants, AV program processes. However, a
new variant of Storm leaves the AV processes running and just patches entry points
of the specific processes that might pose a threat to it.
Storm applies this method against certain AV .exe, .dll, and .sys files. It also
applies to P2P applications BearShare and eDonkey, making them APPEAR to be running
correctly, but they do not actually do anything. The rationale is that this is far
less suspicious than having a process that gets terminated suddenly from the outside,
according to Cohen.
The technique is probably also designed to fool network access control (NAC) systems
that block insecure clients from registering on a network based on a check to see if
the client is running updated AV software.
Corman cites this development as the latest evidence of why Storm is "the scariest
and most substantial threat" security researchers have ever seen. Storm is patient;
resilient; adaptive in that it can defeat AV products in multiple ways (programmatically,
it changes its signature every 30 minutes); invisible because it comes with a rootkit
built in and hides at the kernel level; and clever enough to change every few weeks.
Storm developers have implemented still more self-defense mechanisms, according to
Corman. "If you try to attach a debugger, or query sites it's reporting into, it knows
and punishes you instantaneously," he said. "Every time I hear of an investigator
trying to investigate, they're automatically punished. It knows it's being investigated,
and it ... fights back."
Besides retribution, Storm's ability to morph means that those who know how to watch it
are zealously guarding their techniques, according to Corman. "They're afraid of
retaliation. They fear that if we disclose their unique means of finding information
on Storm, the botnet operators will change tactics yet again and the window into Storm
will slam shut."
(www.eweek.com 24OCT07)