- For information on the botnet composed of machines infected with this worm, see Storm botnetStorm botnetThe Storm botnet or Storm worm botnet is a remotely controlled network of "zombie" computers that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam...
The Storm Worm (dubbed so by the Finnish
Finland , officially the Republic of Finland, is a Nordic country situated in the Fennoscandian region of Northern Europe. It is bordered by Sweden in the west, Norway in the north and Russia in the east, while Estonia lies to its south across the Gulf of Finland.Around 5.4 million people reside...
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
) is a backdoor Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
that affects computers using Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
operating systems, discovered on January 17, 2007. The worm is also known as:
- Small.dam or Trojan-Downloader.Win32.Small.dam (F-SecureF-SecureF-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
- CME-711 (MITREMITREThe Mitre Corporation is a not-for-profit organization based in Bedford, Massachusetts and McLean, Virginia...
- W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfeeMcAfeeMcAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
- Troj/Dorf and Mal/Dorf (SophosSophosSophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....
- Trojan.Peacomm (SymantecSymantecSymantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
- TROJ_SMALL.EDW (Trend MicroTrend MicroTrend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
- Win32/Nuwar (ESETEsetESET is an IT security company head-quartered in Bratislava, Slovakia that was founded in 1992 by the merger of two private companies. The company was awarded as the most successful Slovak company in 2008, 2009 and 2010...
- Win32/Nuwar.N@MM!CME-711 (Windows Live OneCareWindows Live OneCareWindows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Microsoft Windows. A core technology of OneCare was the multi-platform RAV , which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued...
- W32/Zhelatin (F-SecureF-SecureF-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
- Trojan.Peed, Trojan.Tibs (BitDefenderBitDefenderBitDefender is an antivirus software suite developed by Romania-based software company Softwin. It was launched in November 2001, and is currently in its 15 build version...
The Storm Worm began infecting thousands of (mostly private) computers in Europe
Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...
and the United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, "230 dead as storm batters Europe". During the weekend there were six subsequent waves of the attack. As of January 22, 2007, the Storm Worm accounted for 8% of all malware infections globally.
There is evidence, according to PCWorld
PC World (magazine)
PC World is a global computer magazine published monthly by IDG. It offers advice on various aspects of PCs and related items, the Internet, and other personal-technology products and services...
, that the Storm Worm was of Russia
Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...
n origin, possibly traceable to the Russian Business Network
Russian Business Network
The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale...
Ways of actionOriginally propagated in messages about European windstorm
A European windstorm is a severe cyclonic windstorm associated with areas of low atmospheric pressure that track across the North Atlantic towards northwestern Europe. They are most common in the winter months...
Kyrill, the Storm Worm has been seen also in emails with the following subjects:
- A killer at 11, he's free at 21 and kill again!
- U.S. Secretary of State Condoleezza RiceCondoleezza RiceCondoleezza Rice is an American political scientist and diplomat. She served as the 66th United States Secretary of State, and was the second person to hold that office in the administration of President George W. Bush...
has kicked German Chancellor Angela MerkelAngela MerkelAngela Dorothea Merkel is the current Chancellor of Germany . Merkel, elected to the Bundestag from Mecklenburg-Vorpommern, has been the chairwoman of the Christian Democratic Union since 2000, and chairwoman of the CDU-CSU parliamentary coalition from 2002 to 2005.From 2005 to 2009 she led a...
- British Muslims Genocide
- Naked teens attack home director.
- 230 dead as storm batters Europe.
- Re: Your text
- Radical Muslim drinking enemies's blood.
- Chinese/Russian missile shot down Russian/Chinese satellite/aircraft
- Saddam HusseinSaddam HusseinSaddam Hussein Abd al-Majid al-Tikriti was the fifth President of Iraq, serving in this capacity from 16 July 1979 until 9 April 2003...
safe and sound!
- Saddam Hussein alive!
- Venezuelan leader: "Let's the War beginning".
- Fidel CastroFidel CastroFidel Alejandro Castro Ruz is a Cuban revolutionary and politician, having held the position of Prime Minister of Cuba from 1959 to 1976, and then President from 1976 to 2008. He also served as the First Secretary of the Communist Party of Cuba from the party's foundation in 1961 until 2011...
- If I Knew
- FBI vs. Facebook
When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
. The Trojan piggybacks on the spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates. Some of the known names for the attachments include:
- Full Story.exe
- Read More.exe
Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love". These emails contain links to websites hosting some of the following files, which are confirmed to contain the virus:
According to Joe Stewart, director of malware research for SecureWorks
SecureWorks, Inc Headquartered in Atlanta, Georgia, SecureWorks, Inc. is a U.S.-based managed security services provider that provides information security services and protection of computer, network and information assets from malicious activity or cybercrime for its customers...
, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy...
to change the IP addresses for its command and control servers.
BotnettingThe compromised machine becomes merged into a botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
. While most botnets are controlled through a central server
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control. Each compromised machine connects to a list of a subset of the entire botnet - around 30 to 35 other compromised machines, which act as hosts
A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address....
. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet - each only has a subset, making it difficult to gauge the true extent of the zombie network. On 7 September 2007, estimates of the size of the Storm botnet ranged from 1 to 10 million computers. Researchers from the University of Mannheim and the Institut Eurecom have estimated concurrent online storm nodes to be between 5,000 and 40,000.
RootkitAnother action the Storm Worm takes is to install the rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
Win32.agent.dh. Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans. Later variants, starting around July 2007, loaded the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with a stub of code that loads the rootkit driver module without requiring it to have an entry in the Windows driver list.
April Fool's DayOn April 1, 2008, a new storm worm was released onto the net, with April Fools-themed subject titles.
FeedbackThe list of antivirus companies that can detect the Storm Worm include Authentium, BitDefender
BitDefender is an antivirus software suite developed by Romania-based software company Softwin. It was launched in November 2001, and is currently in its 15 build version...
, ClamAV, eSafe, Eset
ESET is an IT security company head-quartered in Bratislava, Slovakia that was founded in 1992 by the merger of two private companies. The company was awarded as the most successful Slovak company in 2008, 2009 and 2010...
, F-Prot, F-Secure
, Kaspersky, McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, Trend Micro
Trend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
, avast and Windows Live OneCare
Windows Live OneCare
Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Microsoft Windows. A core technology of OneCare was the multi-platform RAV , which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued...
. The Storm Worm is constantly being updated by its authors to evade antivirus detection, so this does not imply that all the vendors listed above are able to detect all the Storm Worm variants. An intrusion detection system offers some protection from the rootkit, as it may warn that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871. Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and presumably Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
can be infected by all the Storm Worm variants, but Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
cannot, as the malware's author specifically excluded that edition of Windows from the code. Additionally, the decryption layer for some variants requires Windows API functions that are only available in Windows XP Service Pack 2 and later, effectively preventing infection on older versions of Windows.
Peter Gutmann (computer scientist)
Peter Gutmann is a computer scientist in the Department of Computer Science at the University of Auckland, Auckland, New Zealand. He has a Ph.D. in computer science from the University of Auckland. His Ph.D. thesis and a book based on the thesis were about a cryptographic security architecture...
sent an email noting that the Storm botnet comprises between 1 and 10 million PCs depending on whose estimates you believe. Although Dr. Gutmann makes a hardware resource comparison between the Storm botnet and distributed memory
In computer science, distributed memory refers to a multiple-processor computer system in which each processor has its own private memory. Computational tasks can only operate on local data, and if remote data is required, the computational task must communicate with one or more remote processors...
and distributed shared memory
Distributed shared memory
Distributed Shared Memory , in Computer Architecture is a form of memory architecture where the memories can be addressed as one address space...
high performance computers at TOP500
The TOP500 project ranks and details the 500 most powerful known computer systems in the world. The project was started in 1993 and publishes an updated list of the supercomputers twice a year...
, exact performance matches were not his intention—rather a more general appreciation of the botnet's size compared to other massive computing resources. Consider for example the size of the Storm botnet compared to grid computing projects such as the World Community Grid
World Community Grid
World Community Grid is an effort to create the world's largest public computing grid to tackle scientific research projects that benefit humanity...
An article in PCWorld dated October 21, 2007 says that a network security analyst presented findings at the Toorcon hacker conference in San Diego on October 20, 2007, saying that Storm is down to about 20,000 active hosts or about one-tenth of its former size. However, this is being disputed by security researcher Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
, who notes that the network is being partitioned in order to sell the parts off independently.
- Spamtrackers SpamWiki: Storm
- NetworkWorld: Storm Worm's virulence may change tactics
- Wired.com: Analysis by Bruce SchneierBruce SchneierBruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
- "There's a Storm Coming", from the IBM ISS X-Force Blog
- Trojan.Peacomm (Storm) at Symantec
- Stormy Weather: A Quantitative Assessment of the Storm Web Threat in 2007 (Trend Micro)
- In millions of Windows, the perfect Storm is gathering, from The Observer.
- April Fool's Day Storm Worm Attack Hits, from PC World.
- Storm and the future of social engineering from Help Net Security (HNS).