'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable
In addition, it appears that Windows Vista, the new operating system Microsoft will launch next week, is vulnerable to the attack.
Originally dubbed the "Storm worm" because one of the subject heads used by its e-mail touted Europe's recent severe weather, the Trojan's author is now spreading it using subjects such as "Love birds" and "Touched by Love," said Finnish anti-virus vendor F-Secure. The Trojan, meanwhile, piggybacks on the spam as an executable file with names ranging from "postcard.exe" to "Flash Postcard.exe," more changes from the original wave as the attack mutates.
The first several spam blasts of the Trojan -- which was named "Peacomm" by Symantec -- came with current event subject heads, including ones claiming to include video of a Chinese missile attack or proof that Saddam Hussein lives, and bore attached files such as "video.exe."
"Peacomm has, not surprisingly, evolved. The attachments have new file names, some files [dropped onto the PC] have changed, and the subject lines of the spam are also changing," noted Amado Hidalgo, a researcher with Symantec's security response group, in an entry on the team's blog.
By Symantec's reckoning, Peacomm is the most serious Internet threat in 20 months. Monday, it raised the alert level to "3" in its 1 through 5 scale; the last time the security software developer tagged a threat as "3" was for Sober.o in May 2005.
So far, Symantec has received 1.6 million detection reports from its sensor system. "This means Peacomm has hit 1.6 million systems in the past seven days," a company spokesman said in an e-mail. An accurate number of infected machines isn't yet known.
The most recent variants of the Trojan include rootkit cloaking technologies to hide it from security software, said both F-Secure and Symantec. The latter, however, pointed out that flawed rootkit code voids some of the Trojan maker's plans. "The rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again," said Hidalgo. A personal firewall also offers some protection from the rootkit, as it will warn you that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871.
Peacomm's turn to rootkits brought out comparisons to Rustock, a year-old family of Trojan horses that has become a model of sorts for hackers. Rustock, as Symantec warned in December 2006, relies on rootkit technology, but adds an ability to quickly change form as another evasion tactic.
"It's similar to Rustock," acknowledges Dave Cole, director of Symantec's security response team, "but [Peacomm is] not nearly as technically sophisticated."
As with most large-scale Trojan attacks, the goal seems to be to acquire a large botnet, or collection of compromised PCs, that can be used to send traditional scam spams or for later identity mining.
Symantec's researchers said that PCs hijacked by Peacomm send "tons and tons of penny stock spam" in a typical pump 'n' dump scheme. "During our tests we saw an infected machine sending a burst of almost 1,800 e-mails in a five-minute period and then it just stopped," said Hidalgo. "We're speculating that the task of sending the junk e-mail is then passed on to another member of the botnet."
Windows 2000 and Windows XP are vulnerable to all the Peacomm variations, but Windows Server 2003 is not; the Trojan's creator specifically excluded that edition of Windows from the code. Symantec's Hidalgo took a guess why. "We presume the malware writers didn't have time to test it on this operating system."
Microsoft's soon-to-release-to-consumers Vista, however, does appear at risk, added Symantec Tuesday. "It appears most if not all variants could execute on Vista," the spokesman said. "The only way the Trojan would be unsuccessful is if somehow Vista is able to detect/prohibit the e-mail. This seems unlikely."
Antivirus companies have updated their signature databases with fingerprints that identify and then delete (or quarantine) the Trojan as it arrives. Other defensive advice includes filtering traffic on UDP ports 4000 and 7871, update anti-spam products, and configure mail gateways to strip out all executable attachments.