July 4th, 2008

Storm Worm’s Independence Day campaign

Posted by Dancho Danchev @ 8:44 am

Categories: Spam and Phishing, Botnets, Exploit code, Arbitrary Code Execution, Anti Virus, Malware

Tags: Storm Worm, Social Engineering, P2P Malware, Dancho Danchev

A Storm Worm’s Independence Day campaign is circulating online using email as propagation vector, attempting to trick users into visiting a Storm Worm infected host, where a multitude of what looks like over five different exploits attempt to automatically infect the visitors next to the malware binary fireworks.exe. Historically, Storm Worm is constantly changing its tactics, and the use of live exploit URLs is back in their arsenal for the last last couple of campaigns. Therefore, visiting a Storm Worm infected IP sent to your email would launch multiple exploits against your third-party software. Here’s a sample message used in the latest campaign :

“Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.”

Storm Worm is a case study on successful social engineering attacks based on the timing, combination of tactics, and their persistence. In this particular campaign, they rely on the fact that a lot of users would be clicking on their exploit serving links from their homes, and that being away from the at least theoretically better hardened corporate network, would result in more infections.  Storm is among the many other botnets currently active online, which when partitioned and access to them resold to different parties, make it harder to keep track of its size, since the wannabe botnet masters introduce new malware on the Storm Worm infected hosts, using them as foundation for creating their own unique botnet.

Moreover, the stereotype of zero day vulnerabilities as the critical success factor for a malware campaign, was orignally broken by the time Storm Worm took the leading position as the largest botnet online for a certain period of time, without exploiting a single zero day vulnerability but relying on the fact that unpatched vulnerabilities are just as effective as zero day vulnerabilities when you diversity the exploits set well enough.

In times when client-side vulnerabilities are driving the success rates of malware campaigns, unpatched software or third-party software is just as vulnerable as unpatched software or third-party software that’s getting exploited with a zero day vulnerability. So consider self-auditing yourself by ensuring you’re not running unpatched third-party software, and stay away from spam and phishing emails enticing you to visit a particular URL in general, since both are starting to converge with malware.