'Stration' Worm Spawns Sneak Attacks
The Stration worm, aka Warezov, has been topic number one for anti-virus firms for almost three months, but until recently they hadn't figured out that the malware kicks into second gear about six hours after it's installed. Then, said Reston, Va.-based VeriSign iDefense, it begins sending massive amounts of spam touting Viagra, Xanax, and Propecia prescription medicines.
"Lots of AV vendors have been saying that Stration doesn't have a payload," said Mike La Pilla, an iDefense analyst. "But it does. It just takes six hours. Then it contacts a different domain, downloads a spamming Trojan, and starts sending mail."
If a user launches the file attached to the original e-mail, a small Trojan downloader executes, searches out the domain of a remote server, and downloads the Stration/Warezov worm. Stration, in turn, then replicates by grabbing e-mail addresses off the compromised system. Only later does it seek out a second domain for the spam bot.
Stration's been pegged by many analysts as the malware behind a recent explosion in spam rates, and in the number of bots detected on the Internet. IDefense's analysis, La Pilla said, backs that up.
"Most security companies have been trying to get the server with the primary domain shut down," he said. "But that leaves Stration still able to connect to the second domain to download the spamming Trojan."
Stration's one-two domain approach has been sophisticated enough to fool some of the world's largest security vendors. For example, Symantec's write-up of the most recent Stration variant includes no information about additional spamming, but only tags the malware as "a worm that spreads by e-mailing itself to other computers."
IDefense spotted another overlooked characteristic of Stration, said La Pilla. "It also spreads on ICQ," he said, referring to the instant messaging client owned by AOL. "There's always an e-mail component to the worm and an ICQ component."
The worm not only harvests e-mail addresses, but also collects ICQ contacts it finds on the infected PC. "Most of these [ICQ-caused infections] are in Russia, Estonia, Latvia, and the like," said La Pilla, in large part because the IM client is most popular in Eastern Europe.
Few anti-virus vendors noticed the ICQ angle, La Pilla said; exceptions were Grisoft, a Czech-based security company that markets the AVG line, and ESET, a Slovakian anti-virus company that produces NOD32.
The circumstantial connection between Stration and the rapid rise in spam rates for October got a bit stronger Tuesday as the SANS Institute's Internet Storm Center correlated the increase in spam volume with a considerable jump in the number of infected systems Internet-wide.
"For the last few months, the number of [infected] IPs hovered at around 1 million per day. However, as of Oct. 18th, this number all of a sudden surged to about 1.6-1.8 million," wrote Johannes Ullrich, the ISC's chief research officer, in an online alert Tuesday. "This coincides with a dramatic increase in spam."
After additional analysis, Ullrich downgraded the increase in infected systems to approximately 1.2 million.
Other security researchers, such as those at U.K.-based MessageLabs, have tied the boost in infected systems to the bots planted by Stration; those bots then spam, which results in a boost in both spam volume and its percentage of all mail.
Still others have noted how Stration stays one step ahead of the anti-virus vendors by constantly changing. IDefense's La Pilla pointed that out, too. "When you get the attachment, it's actually a downloader Trojan, not the worm itself. So when it executes, it goes to the main server and downloads the very newest worm.
"If you get the e-mail in the morning and launch it then, you may get an old copy" for which anti-virus vendors may have created a signature, said La Pilla. "But if you launch the attachment in the evening, you'll probably download a newer version."
Stration accounted for three of last month's top 10 worms, said security software vendor Sophos.