RSS Alerts

Share

More services

Related Links

Related Stories

  • Gumblar malware attack sweeps web
    A modified attack that alters Google searches is taking the web by storm according to security researchers, who have identified more malware domains being used in the attack.
  • SpyEye continues battle of the botnets
    Researchers have identified another example of a botnet that attempts to neutralize other botnet software. Peter Coogan, a researcher at Symantec, noticed a crimeware toolkit from Russia called SpyEye, which appears to neutralize the competing Zeus crimeware kit.
  • Nine Lives - Self-modifying Malware
    As the Conficker worm proved when it first appeared in October 2008, there’s more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager’s nightmare has become a programming reality
  • Nine lives - when malware becomes self-modifying
    As the Conficker (aka Downadup and Kido) worm proved when it first appeared in October 2008, there's more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager's nightmare has become programming reality...
  • New Botnets on the Prowl
    Two new botnets have emerged in the past few weeks, and at least one shows signs of being an upgrade to a previous botnet that wreaked havoc in the wild.

Top 5 Stories

News

Storm worm returns to internet

28 April 2010

Security researchers have identified a new version of the Storm worm that plagued the internet three years ago. The new version uses HTTP for command-and-control purposes instead of the original peer-to-peer approach, say reports.

The new version of Storm is more streamlined than the original version, because it uses HTTP as its command-and-control mechanism, with the address of the command-and-control server embedded in an encrypted form. According to an analysis of the code conducted by members of the Honeynet Project, there is no list of peers in the configuration file, which uses the same file name as the original version of the malware. The installation technique used by this version of Storm is identical to that used by the original.

"We compared the last version of Storm to the new samples. Around two thirds of the functions in the new sample are simply copied and pasted from the last Storm code base," said Felix Leder, a member of the computer science department at the University of Bonn involved with the Honeynet Project. "Since the source code of Storm has never been made public, the same team of developers has finally created a new variant or sold its code."

The original version had more than 800 functions, much of which is missing in the new versions because of the shift to HTTP. Leder mused that the Stormfucker program that he developed with other German researchers may have been responsible for the alternate approach to command and control. That tool took advantage of flaws in the P2P command network to take down a Storm bot. However, it would have generally involved installation without the victim's consent, limiting its legitimate use.

The command protocol used by the new version is identical to the original, and enables different commands to be sent to clients, instructing them to deliver spam, or participate in a DDoS attack.

The new code was originally discovered by Stephen Adair of the Shadowserver Foundation.

This article is featured in:
IT Forensics • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012