'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable
January 23, 2007 3:43 PM ET
The Trojan horse that began spreading Friday has attacked at least 1.6 million PCs, a security company said Tuesday.
In addition, it appears that Windows Vista, the new operating system Microsoft will launch next week, is vulnerable to the attack.
Originally dubbed the "Storm worm" because one of the subject heads used by its e-mail touted Europe's recent severe weather, the Trojan's author is now spreading it using subjects such as "Love birds" and "Touched by Love," said Finnish anti-virus vendor F-Secure. The Trojan, meanwhile, piggybacks on the spam as an executable file with names ranging from "postcard.exe" to "Flash Postcard.exe," more changes from the original wave as the attack mutates.
The first several spam blasts of the Trojan -- which was named "Peacomm" by Symantec -- came with current event subject heads, including ones claiming to include video of a Chinese missile attack or proof that Saddam Hussein lives, and bore attached files such as "video.exe."
"Peacomm has, not surprisingly, evolved. The attachments have new file names, some files [dropped onto the PC] have changed, and the subject lines of the spam are also changing," noted Amado Hidalgo, a researcher with Symantec's security response group, in an entry on the team's blog.
By Symantec's reckoning, Peacomm is the most serious Internet threat in 20 months. Monday, it raised the alert level to "3" in its 1 through 5 scale; the last time the security software developer tagged a threat as "3" was for Sober.o in May 2005.
So far, Symantec has received 1.6 million detection reports from its sensor system. "This means Peacomm has hit 1.6 million systems in the past seven days," a company spokesman said in an e-mail. An accurate number of infected machines isn't yet known.
The most recent variants of the Trojan include rootkit cloaking technologies to hide it from security software, said both F-Secure and Symantec. The latter, however, pointed out that flawed rootkit code voids some of the Trojan maker's plans. "The rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again," said Hidalgo. A personal firewall also offers some protection from the rootkit, as it will warn you that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871.
Peacomm's turn to rootkits brought out comparisons to Rustock, a year-old family of Trojan horses that has become a model of sorts for hackers. Rustock, as Symantec warned in December 2006, relies on rootkit technology, but adds an ability to quickly change form as another evasion tactic.
"It's similar to Rustock," acknowledges Dave Cole, director of Symantec's security response team, "but [Peacomm is] not nearly as technically sophisticated."
As with most large-scale Trojan attacks, the goal seems to be to acquire a large botnet, or collection of compromised PCs, that can be used to send traditional scam spams or for later identity mining.
Symantec's researchers said that PCs hijacked by Peacomm send "tons and tons of penny stock spam" in a typical pump 'n' dump scheme. "During our tests we saw an infected machine sending a burst of almost 1,800 e-mails in a five-minute period and then it just stopped," said Hidalgo. "We're speculating that the task of sending the junk e-mail is then passed on to another member of the botnet."
Windows 2000 and Windows XP are vulnerable to all the Peacomm variations, but Windows Server 2003 is not; the Trojan's creator specifically excluded that edition of Windows from the code. Symantec's Hidalgo took a guess why. "We presume the malware writers didn't have time to test it on this operating system."
Microsoft's soon-to-release-to-consumers Vista, however, does appear at risk, added Symantec Tuesday. "It appears most if not all variants could execute on Vista," the spokesman said. "The only way the Trojan would be unsuccessful is if somehow Vista is able to detect/prohibit the e-mail. This seems unlikely."
Antivirus companies have updated their signature databases with fingerprints that identify and then delete (or quarantine) the Trojan as it arrives. Other defensive advice includes filtering traffic on UDP ports 4000 and 7871, update anti-spam products, and configure mail gateways to strip out all executable attachments.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
