Feeds

Stormy weather for malware defenses

Virus writers go after anti-virus vulnerabilities

Beginner's guide to SSL certificates

When the Storm Worm swept through the internet in mid-January, the program's writers took a brute force approach to evading anti-virus defenses: They created a massive number of slightly different copies of the program and released them all at the same time.

On 18 January, the day the misnamed program - a Trojan horse, not a worm - first appeared, more than 350 different variants were released, according to a report penned by security firm CommTouch Software. Four days later, the number of slightly-different versions jumped to more than 7,300. By the end of January, more than 54,000 variants had hit the internet, the report (PDF) stated, each one spammed out by computers previously compromised by the program.

"Virus writers' goals have changed," CommTouch CEO Amir Lev said in an email interview with SecurityFocus. "They are doing 'good' business now. They do not focus on finding vulnerabilities in Microsoft and other products, they look for 'vulnerabilities' (in) the AV (anti-virus) systems."

The technique is effective. While anti-virus program's pattern recognition algorithms, frequently referred to as heuristics, may have stopped a large fraction of the variants, creating signatures to catch all the versions takes time. Response to a new variant - including developing, testing and distributing a signatures - takes hours at a minimum. Responding to thousands can take much longer.

During a January interview, one McAfee researcher underscored the headaches caused by the Storm Worm.

"Every day, it has been a new set of subject lines and new tactics to get people to open these," Allysa Myers, virus research engineer for security software maker McAfee, said in an interview with SecurityFocus. "They have had mass seedings of new variants every day this week."

The program highlights a number of changes in the techniques used by criminal internet groups. The Storm Worm spreads in fairly large, but controlled, bursts of email through previously compromised computers. Each burst typically sends out a custom variant, trying to infect systems before the user updates their anti-virus definitions. The program compromises systems by luring users into opening the attachments of messages with subject lines regarding current news events, including violent storms in Europe - a characteristic that led to the program's naming.

While some other programs have used a similar tactics, the Storm Worm's focus on propagation through sheer permutation carries the trend to a new level. The technique exploits a weakness, not in the software, but in the system. Analysing malicious code requires, for the most part, human researchers, and the coders hope to overwhelm the human component long enough to compromise as many systems as needed.

"Signatures are still needed, but the amount of malware that is being produced and the speed with which it changes means that you need a lot of researchers," said Alex Shipp, a researcher for email security provider MessageLabs.

Other firms have witnessed the trend first hand. In 2006, anti-virus firm Kaspersky Lab added 80,000 virus-pattern records to its product, roughly doubling the number added in 2005, said Eugene Kaspersky, the co-founder and head of research and development for the anti-virus firm.

"This is a competition where the anti-virus companies, I fear, are not in a good position," Kaspersky said.

The Storm Worm is all about creating massive networks of compromised computers that can be controlled by a single group or individual. The networks, known as bot nets, don't need to be large to be useful. A bot net of several thousand computers is more than enough to mount a severe denial-of-service attack or send out a digital deluge of stock spam - common uses for the networks - and, of course, send out more copies of the Trojan horse (this aspect of the Storm Worm is the subject of the first part of this two-part series).

"The guys are very aggressive with the variants, and that has defeated the more simplistic AV engines out there," Arbor Networks senior security researcher Jose Nazario said.

The Storm Worm is likely responsible for creating a bot net that contains more than 20,000 computers and perhaps as many as 100,000, Nazario said. Other evidence appears to indicate that there is more than one Storm Worm-related bot net.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.