Analysis of the Storm Worm

Analysis of the Storm Worm

Analysis Of the Storm Worm Robert Shullich, John Jay College, FCM 740, Spring 2008

1

Analysis of the Storm Worm Robert Shullich, CISSP, SSCP, CISA, CISM, CEH, CPTS, GSEC, GCIH, and GCFA FCM 740 Spring 2008 John Jay College of Criminal Justice City University of New York May, 2008



2

Table of Contents

Abstract ........................................................................................................................... 4 Background..................................................................................................................... 5

Motive ......................................................................................................................... 5 History......................................................................................................................... 5 Environmental Awareness .......................................................................................... 5 Module Analysis ......................................................................................................... 5 Project/Paper Scope .................................................................................................... 6 Test Environment........................................................................................................ 6 Tamper Resistant Storm Code .................................................................................... 7

Network Hierarchy.......................................................................................................... 8 Storm Architecture...................................................................................................... 8 Network Seeding......................................................................................................... 8 HASH Keys ................................................................................................................ 9 Find your neighbors .................................................................................................... 9 Private Nodes (subnode) ............................................................................................. 9 SPAM Engine ........................................................................................................... 10 2nd Network............................................................................................................... 10 Public Nodes (supernode) ......................................................................................... 10 NGINX...................................................................................................................... 10 0.5.12 (Subcontroller) ............................................................................................... 10 Nginx 0.5.17 (proxy)................................................................................................. 10 Apache ...................................................................................................................... 10 The sweet spot........................................................................................................... 11

Storm At Work.............................................................................................................. 11 SPAM Distribution ................................................................................................... 11 Storm Extensibility ................................................................................................... 11

Command and Control Channel.................................................................................... 12 Early use of Command and Control (Ports).............................................................. 12 Early use of Command and Control (IRC) ............................................................... 12 Dedicated Upload/Download Servers....................................................................... 13 P2P Networking (Peer-2-Peer) ................................................................................. 13 Properties of the P2P network design: ...................................................................... 13

Fast-Flux ....................................................................................................................... 13 The need for Fast-Flux.............................................................................................. 13 DNS IP to NAME mappings..................................................................................... 13 Single Fast-Flux ........................................................................................................ 13 Double Fast-Flux ...................................................................................................... 14

The decline and fall of Storm........................................................................................ 14 Anti-Virus ................................................................................................................. 14



3

Malicious Software Removal Tool (MSRT)............................................................. 14 Today’s BOTs........................................................................................................... 14 Messagelabs View .................................................................................................... 14 It Ain’t over till it’s over........................................................................................... 15

Dynamic Analysis......................................................................................................... 16 P2P Analysis ............................................................................................................. 16

Appendix....................................................................................................................... 19 References..................................................................................................................... 28



4

Abstract Storm, mainly called a worm but many disagree and call it a virus or a Trojan, showed up in early 2007, and 16 months later still maintains some strength despite the claims of many that eradication is near. We will refer to the operating code as the Storm Code, and this code has used many evasion techniques to draw out its long life. The Storm Code has used the old tricks of encryption and code packing to achieve polymorphism to avoid detection by anti-virus and Intrusion Detection Sensors (IDS), but also implemented the new tricks of VM detection, a P2P Network and Fast Flux to slow down the malware analysis and keep the network going with minor destruction of its bot army. This paper has the objective of Storm Code analysis, and will focus on the C&C (Command and Control) function that is implemented by two overlaid networks – a UDP network based on Overnet using eDonkey protocol, and a TCP/IP overlaid network used to deliver content from the central C&C site down to the bot army. This paper will also look at the Fast Flux network which is also instrumental in hiding components of the botnet.



5

Background Kyrill is the name given to a low pressure area that evolved into an unusually violent European windstorm, forming an extra tropical cyclone with hurricane-strength winds. It formed over Newfoundland on January 15, 2007 and moved across the Atlantic Ocean reaching Ireland and Great Britain by the evening of January 17. The storm then crossed the North Sea on January 17 and 18, making landfall on the German and Dutch coasts on the afternoon of January 18, before moving eastwards toward Poland and the Baltic Sea on the night from January 18 to January 19 and further on to northern Russia1. On January 19, 2007 thousands of computers were infected when email inboxes were flooded with messages containing various subject lines. One of the subject lines read “230 dead as storm batters Europe”2. Because of this subject line, the enclosed worm infection was called the storm worm and this is how the worm got its name.

Motive In the past, virus and worm attacks were mainly for the fun of hackers, i.e. their egos. Some of these exploits could be used to make money, and with the threats of denial-of-service attacks, extortion was a means for monetary gain. Extortion never went well, but it was discovered that through identity theft, money could be made by stealing funds from people’s bank accounts, or just creating a new identity based on an existing identity that already has a good credit history and track record. Many of these are phishing attacks, and involve the distribution of spam. Another use of spam, used widely by the Storm Code, is the sale of pharmaceuticals. On one campaign Storm Code was used for a pump and dump3 scheme. Although the older methods of extortion and Nigerian scam letters are still used today, the current theme of the day is making money.

History The storm worm has major breakouts at holidays and special events. As an example, Figure 1 lists some newsworthy Storm attacks occurring during its lifetime. We see that on June 27th the module was distributed as applet.exe and on Sept 2nd, as labor.exe. The payload has varied in time to match the event, and many different payload names have been used. Figure 3 provides a list of some of those .exe file names and Figure 4 provides some subject lines that were used on the recruitment e-mails that were being sent. The distribution of the worm relies solely on social engineering, and does not exploit any known exploits. The distribution of malware via the e-mails distributing e-cards has gone on for over 5 years, and people still click on these links and get infected. They never learn.

Environmental Awareness Virtualization has advanced to prime time as data centers use different types of virtualization to perform server consolidation. Many physical servers are consolidated as virtual servers running on a single hardware frame. The most common in use is the VMWARE products now from EMC and theVirtual,PC products from Microsoft. These products have become a challenge to malware writers because they can be used to examine and analyze the malware’s behavior. Variations of the Storm Code4 5 6 have resorted to finding out if they are running in a VM and acting differently, or not at all to fool, the malware specialist. In some cases this can become counterproductive as machines become virtualized, and server farms get extra protection because they will test positive for a VM environment and the worm doesn’t do any damage.

Module Analysis There are different ways to analyze the storm worm. And there is plenty to keep us busy, so what is really interesting about Storm in order to come up with a valuable analysis?



6

Well, we see many different names for the infector module of the worm, but is it the same program? In their paper7 - Storm Analysis – an evaluation of the labor.exe version was performed, and in some cases compared to the applet.exe. As we see from the paper, applet.exe has checks for VMware and Microsoft virtual PC, but labor.exe does not, and consider that based on the timeline (see Figure 1) applet.exe was issued earlier and labor.exe later, meaning that the VM checks were in the code one time, then subsequently removed. When we look at Valentine.exe which was issued around Valentines Day 2008, we see major structural changes of the worm code as it is believed that a new “C” compiler was used8. In my own analysis, comparing applet.exe to valentine.exe, it appears obvious that a different C compiler was involved. When tracing the calls of applet.exe calls are made to Kernel32.DLL or NTDLL.DLL. Valentine.exe made direct calls to MVSCRT.DLL, and was a different trace in the beginning. Some of the earlier versions prior to the valentine.exe instance used encryption and module packing to obfuscate the code to fool anti-virus and IDS/IPS signatures. In Frank Boldewin’s project9 he spent considerable time and effort to document the TEA decryption and TIBS unpacking of the applet.exe instance. He also provides the “cleaned” applet.exe almost ready to go, with the VM checks enabled, but provided the instructions to disable the VM checks. It is this distributed version of the applet.exe that was used in the analysis performed for this paper.

Project/Paper Scope The malware code comprising of the Storm Code goes through different levels of evolution. In general, analysis of the Storm Code and its hiding techniques do not appear to be an interesting topic of research, or interesting enough. VM awareness will be common in future releases of malware in order to prevent code analysis when being trapped in honey pots, but not all iterations have the VM checks. Not all versions will be packed the same way, or encrypted, and many of these techniques are simple or old hat. The meat of the Storm Code is the communications channels and network. The use of eDonkey and Overnet, the fast flux network, and the passing of commands and work on the overlaid TCP/IP network are pretty consistent across the different versions of the Storm Code and for the Storm Code has been the most innovative contribution to the botnet architecture. In my analysis I will do some static and some dynamic analysis of the code by allowing it to run, and tracing the execution. Code analysis, which will be done using IDA Pro and Ollydbg, will allow examination of assemble code. Use of Wireshark will display network communications being done. Some of the work displayed in this paper are derived works taken from other researchers, and will be duly noted by references.

Test Environment The test environment is a small lab in my home. It consists of a Dell D620 Notebook, running Fedora 4 with VMWARE 5. This environment is placed behind a Netgear DSL/Router connected to my home DSL network. My ISP is Mindspring. In the virtual machine I am running a Windows XP SP2 image, with anti-virus disabled. A snapshot is taken of the virtual machine to allow rollback after infection. This provides a restore point to return back to a clean environment. When the virtual machine becomes infected, it is allowed to communicate with other infected machines, but because Mindspring blocks port 25, the local infection cannot establish any SMTP sessions with mail servers. At best, it attempts to establish the initial SYN of the 3-way TCP Handshake, but is unable because of the Mindspring firewall. This is a good feature, as it insures that we will not be passing any SPAM in our testing. My DSL/Router also establishes a NAT network for the notebook, meaning the Linux systems, and the Virtual Machine are NAT behind a firewall. This is important to note, as the Storm worm has built-in anti-debugging and anti-defeating features. As we will see later, the capabilities assigned to the infected



7

machine will depend on different things, one being whether the infected machine is NATed or resides on a public network.

Tamper Resistant Storm Code It is important to note here that the Storm Code is very aware and is programmed to detect analysis. There are many places in the Storm Code with sleep calls, some which are used to detect delays in running code (as if someone was stepping through code using a debugger). Peer nodes have the ability to check connections and determine anomalies in connection activity. For example, if a infected node keeps contacting a peer, this may be suspicious as indicating someone who keeps re-booting the infected machine, something that would happen during analysis of the Storm Code. And when these anomalies are detected, the Storm Code is not happy. Some of the repercussions include going into infinite sleep cycles, taking bad branches, referencing bad memory, or causing other exceptions. The worst was outright denial of service attacks against the node being used for research. There has been distributed denial of service attacks in retaliation against anti-virus researchers that were known to analyze the Storm Code10.



8

Network Hierarchy

Storm Architecture11

The storm architecture is shown above as a tree with 5 levels:

Level 5: Private Nodes Level 4: Public Nodes Supernode Level 3: Nginx/0.5.12 Subcontroller Level 2: Nginx/0.5.17 Proxy Level 1: Apache C&C

There are two networks used in this scenario. One network is based on the eDonkey and Overnet protocol which is a UDP based protocol, and a second network using TCP/IP is based on the above hierarchy.

Network Seeding In order to prime a list of peers to be contacted using the Overnet protocol, a hard coded list is part of the executable, and is stored by early sections of the Storm Code into an INI file. The various versions of Storm will store this file under a different name, but the file and it contents are the same format. In the case of applet.exe and labor.exe we see this table being stored as spooldr.ini. Figure 5 shows a snapshot of part of the seed file. The initial seed file had 290 peer entries, and after running for 10-20 minutes, the number of peers reached over 930. The format of the seed file contains 32 characters for the 128 bit hash key, an = sign, four bytes for the IP address, 2 bytes for the port address, and an 16 bit peer type.



9

In Figure 5, the first entry has: Hash = 00000000000000009C2DB8A6F34A9C69 IP Address = 452FC581 = 69.47.197.129 Port Address = 4667 = 18023 Peer = 00 = 00 In running a test in the school lab (fclab) where outside access is limited, many attempts to access peers failed. The side of this seed file changed drastically, becoming small and then growing, then getting small again. The Storm Code apparently removes dead peers from the list and keeps it current. Now although I reached in my tests almost 1,000 entries, some of the other testers got 20K and more. I attribute the low values I reached due to cleanup operations by the Microsoft Malicious Software Removal Tool and premature termination of the Storm Code as it most likely detected tampering and analysis and terminated the execution with an exception 6BB. For someone to reach 20K entries, the Storm Code had to be active and running for more than a complete day, and I couldn’t run an hour before termination.

HASH Keys Overnet protocol uses MD4 hashes to locate files. Storm will use Kademlia's DHT12 implementation. The Storm Code builds these hashes using the date, then adds random numbers to create 32 unique hashes. Subnodes and Subcontrollers vary the date when building the hash, where subcontrollers publish current date – 1900 years while subnodes search for current date – 1900 years, and subcontrollers search for current date while subnodes publish current date. This provides the means of subnodes finding supernodes using the hash keys and the Overnet protocol. Stewart 13 goes into great detail on the building and construction of the hashes. Since HASH keys are built using the current date, the HASH key, or identity will change daily. The Overnet ID (OID) HASH represents a linear space14. Three basic Overnet functions are used by Storm Code, as outlined by Enright:

Connect: A peer uses connect messages to report their OID to other peers and to receive a list of peers somewhat close to the peer. Search: A peer uses search messages to find resources and other nodes based on OID. Publicize: A peer uses publicize messages to report ownership of network resources (OIDs) so that other peers can find the resource later.

Find your neighbors Upon execution of the worm code, using the Overnet protocol, the first phase is discovery of peers. Starting with the initial seed list, and receiving additional nodes via the “Connect Reply” function of Overnet, the Storm Code discovers accessible neighbors, and will update its .ini file, in my case spooldr.ini. Overnet provides the means for controlling the topology and through the use of P2P makes it a distributed control methodology.

Private Nodes (subnode) The above architecture provides an organized and defined tiered design. Private nodes are the first to be infected. Infection is usually performed by reading a recruitment e-mail, and visiting a website via execution of a link. This leads to causing a download of the code and resulting in an infection. Once infected, the Storm Code will perform network seeding and find and contact peers. Once contacted, the infected code will announce its capabilities and request work to do. One of the common forms of recruitment has been e-card e-mails. Although the Storm Code relied on social engineering and not exploits, many of the newer and current recruitment is to malicious websites that use a vulnerability to perform a drive-by download15.



10

SPAM Engine Private nodes only send out SPAM. This is accomplished by setting up private SMTP servers and shipping out SPAM. Figure 6 shows a Netstat and we can see SMTP connections to several sites attempting to send out e-mail. We see 11 simultaneous sessions using ports in the 1800 range. The Strom code is very complex, and includes the use of threads, where many simultaneous activities are going on. We can see from a snapshot of Ollydbg in Figure 11 of many multiple threads in active execution. Figure 7 gives us a Wireshark view of the attempts to establish SMTP sessions to send out SPAM. However, since my ISP is blocking port 25, none of these sessions go beyond the first SYN of the TCP/IP 3 way handshake. We also show in Figure 8 the DNS inquiries for the MX records. The MX (Mail Exchange) records map the e-mail domain to a mail server. These packet traces are showing lookups of mail servers for the SMTP engine to send the SPAM to.

2nd Network There is no SPAM content, or e-mail addresses, or domain addresses embedded in the Storm Code. So where does it come from? This is where the 2nd network, the TCP/IP network is used. The Storm Code, based on capabilities it discovers using Overnet, will attempt to contact those peers directly setting up a TCP/IP session. The peers that are sought out are the supernodes which pass content from the master node. This session both compresses the stream using zLib, and uses BASE64 encoding on top of it. This is an encapsulated HTTP stream, and it is well hidden. I was unable to adequately trace enough of the program to obtain adequate details here. Stewart16 provides some of the commands as we show in his diagram in Figure 18 that will be used in this TCP/IP channel, including a logon record to initiate the session. In inspecting memory and through the trace I came up with three commands, including the logon record (see Figures 15-17). I would have liked to been able to fully decode the packets, but the code is difficult.

Public Nodes (supernode) Public nodes were private nodes, but they were promoted. Some of the criteria for promotion include the ability to support port 80 (act as a web server) and is accessible to the Internet (Published Public Internet Addresses and usually not NAT’d). The public nodes get additional tasks of hosting web pages. A recently new method called fast-flux is introduced to limit the exposure of these websites. As part of the fast flux network, public nodes also require port 53 (for DNS) to be open and operational. Patrick Peterson provided details of this promotion scheme in his RSA Conference 2008 paper17 as these promotions are determined on the fly and represent field promotions.

NGINX Engine-X is a lightweight proxy/reverse proxy system, and is widely used18 19. It is implemented in the Storm network to isolate the supernodes and above from the public and private nodes (subnodes).

0.5.12 (Subcontroller) Three levels down into the tree hierarchy we have the subcontrollers. Subnodes contact the subcontrollers and the subcontrollers feed information down into the subnodes, whether it is spam to send out, attacks to take place, or website to be displayed. Once we reach the level of the subcontroller we are very close to the botnet master, and extra precautions are required to hide the identities of the subcontroller and the master node behind it. At this level, communications above may use stronger encryption on various transmissions.

Nginx 0.5.17 (proxy) Two levels down is the main proxy. This separates the master from the rest of the network. This is one step from the master C&C.

Apache This is believed to be the head of the botnet, the main head and Command & Control of Storm. This would be the decapitation point to take down the entire network. Since all content originates from this server, this is the guy to take down. However, it has not been easy to get to this server as it was well hidden behind all



11

the other network layers. In a blog called Schneider on Security20 a Jan 31, 2008 entry indicates that the FBI knows the identity of the Storm creators, who are located in ST. Petersburg Russia. The FBI has been unable to proceed, and we have seen more outbreaks during 2008 meaning that the worm isn’t eradicated yet.

The sweet spot The majority of the successful targets of storm or any other worm or virus will be home computers21. Unlike computers located in businesses where an IT staff will maintain the systems with security patches and provide layers of defenses such as IDS and Firewalls, home systems are very rarely maintained and are left out in the wild as vulnerable. This provides a field of ripe systems just waiting to be infected. Many of those systems are directly on the Internet, without firewall protection and no NAT networks. This is ideal for public node systems to live as web servers. What I find difficult to understand is that many of these systems also don’t run windows update and don’t patch themselves. When Microsoft says that it removed the Storm Code from 500K machines by installing the Malicious Software Removal Tool, I wonder how Microsoft managed this on machines not configured to download and install updates.

Storm At Work

SPAM Distribution Using the TCP/IP channel, SPAM templates are acquired. These templates are filled in dynamically. In separate transmissions e-mail addresses, body content, subject lines, etc are also transmitted from the central Apache C&C down through the subcontrollers to the infected machine. The Storm Code then builds an e-mail using the template and filling in variables. This is another sign of how dynamic the operations of this worm code is. In Figure 12, I have captured one of these e-mail spams which go to http://bestselectrolyteeddrugs.com when the link in the e-mail is clicked. Figure 13 shows the website at that address and Figure 14 shows another website appearing in e-mails as http://inexpensiveedrugsonline.com. Although Storm has many capabilities, it has been seen on the past and I can see from my testing, that Storm is being used mostly for Canadian Pharmacy sales.

Storm Extensibility The Storm Code can update itself dynamically as well as pulling down additional stages22.

game0.exe - Backdoor/downloader game1.exe - SMTP relay game2.exe - Email address stealer game3.exe - Email virus spreader game4.exe - DDoS attack tool game5.exe - Updated copy of Storm Worm dropper

With this ability, the botnet can be used for almost anything the creator wishes to do, even if it hasn’t been thought of yet. All they have to do is create a module to do what they need, and send it to all currently running infected nodes. No one mentions Storm Code to do key logging. However, adding this type of functionality appears trivial.



12

Command and Control Channel Communications between the Trojan and the Trojan author will usually occur, either in one-way or two-way modes. Sometimes the Trojan will report back statistics or information about the infected machine, and at other times the Trojan author may wish to contact the infected machine to either take remote control of the infected host, or to change the properties and attributes of the Trojan. In the case of key logging, the Trojan will need to upload that information to somewhere, and in changing the properties of a Trojan, the Trojan author may want to upload templates for a new SPAM attack. The common name today for these modes of communications is the Command and Control Channel. Objectives in establishing the Command and Control channel is to avoid detection and achieve longevity.

Early use of Command and Control (Ports) Attacking a system and infecting it can be done either one on one or via a mass infection. When doing a one on one, a machine is individually penetrated and attacked directly. Unless this is performed on a target with a large expected payback, such an attack is not cost effective. However, go after hundreds, or thousands of targets at once can be of advantage, but requires more sophistication in controlling all of the infected targets. In the earlier days, target machines were infected by Trojans for either remote administrative control (RAT) or as control zombies for distributed denial of service (DDOS) attacks. Some of the earlier RAT Trojans were Back Orifice 2000, Subseven and Netbus. The Trojans required a “phone home” mechanism to report back home the infected machine. So in the case of the RAT’s mentioned, each would be a service waiting on a specific predetermined port for someone to logon and gain control of the infected code. Back Orifice used port 31337, Subseven used 1234 and Netbus used 12345. Phone home mechanisms used methods such as e-mailing the IP address of the infected machines to a predefined location, or might use IRC to the channel of the attacker. Over time, use of these preset port numbers became a problem as it made it easy to detect command and control channel activity because you just needed to look at port and protocol activity. Intrusion Detection systems can see this traffic easily, and port scans of the infected system would show these ports as listening which was a sign of possible infection. Finally, blockage of these ports was easy to do on firewalls and security groups in organizations made sure that these ports and other well known Trojan ports were blocked or restricted.

Early use of Command and Control (IRC) Internet Relay Chat, which uses TCP Port 6667 by default, is an early and well used Instant Message protocol. In IRC. To effectively use IRC, you have an IRC server and create channels on that server. The channel name starts with # and has no spaces in the name. There are many public IRC servers on the Internet, or you can put up your own server. For use of command and control channels, the Trojan would have a pre-defined IRC server and IRC channel to connect to. The Trojan would then sign onto the IRC channel, and wait for commands from the Trojan author. Through appropriate IRC commands, the Trojan author could control one or all of the infected machines (also known as zombies). Countermeasures for IRC are an outbound block on port 6667, and if discovered, blocks to the IRC server itself. If the IRC server is a lone or dedicated server, it may be possible for law enforcement to the ISP to take the server down. Removal of a remote server, such as the dedicated IRC server, comes under a concept called decapitation, where taking out one or a few servers disables the effectiveness and life of the Trojan.



13

Dedicated Upload/Download Servers Data uploads, such as key logger activity, or downloads such as updated code or new SPAM templates may be communicated with pre-defined and hardcoded IP addresses contained within the Trojan. Use of encryption and code packing techniques are used to obfuscate these IP addresses. Countermeasures used here are decapitation, and as soon as these servers are taken offline, the damage of the Trojan is mitigated.

P2P Networking (Peer-2-Peer) In 2006 early attempts at using a peer-2-peer network for Command and Control were implemented in the W32.NUGACHE@MM worm23, that had shortcomings but was innovative enough to expect to see in the future. In 2007, with the Storm Worm, a new challenge is presented as a headless decentralized peer-2-peer command and control mechanism is put into place.

Properties of the P2P network design24:

• It is very difficult to identify the malicious peers. • Malicious traffic is similar to legitimate P2P traffic. • It is serverless – even if a large number of the peers become unavailable, the network is still

available. • It is flexible – it can be easily extended with new commands and may be configured to use any

port.

Fast-Flux

The need for Fast-Flux We are faced with another decapitation problem. A massive number of SPAM e-mails will be issued that will provide a link to a website. In the case of pharmacy sales, it will be an infected website (public node) hosting a pharmacy. The e-mail will have a link to click that contains either an IP address or a Hostname. In either case, identification of the infected website, and taking it down, is quite easy. So, how can we improve the longevity of these websites, or as stated in the HoneyNet Project paper25 provides increased ROI.

DNS IP to NAME mappings Domain Name Service (DNS) provides the ability to map many IP addresses to a single name. Several different capabilities are gained by this feature. One is load balancing, as round robin selection allows rotation of the IP addresses and thus rotation of the target servers. Another feature is local proximity, where the IP addresses are returned sorted based on how close (geographically) the IP address is located compared to the requestor. 1000’s of IP addresses can be assigned to a single name in DNS.

Single Fast-Flux In single fast-flux, a small limited number of IP addresses are assigned to the name that will be resolved for the web server URL. These entries will also have a very low TTL (usually 1-3 minutes) which means that when the TTL expires, the IP entry is automatically removed. Meanwhile, the task managing fast-flux will be adding new IP addresses. Basically, every three minutes, the DNS record is completely different. Resolution of the URL will return a different web server address every three minutes or less. In the case of storm, where there were thousands of web servers (public nodes) out there, you would not be able to use DNS to track down the infected nodes. You might get a few, but you were running against a moving target that was constantly changing. The cyber criminals slowed down detection and removal, thus improving the ROI of the infected machines.



14

Double Fast-Flux In double fast-flux, we also manipulate the DNS mappings to the name servers themselves. In Storm Code, the DNS servers are also running on public nodes, but techniques are used to obfuscate the identity of the DNS servers.

The decline and fall of Storm

Anti-Virus One expects that through the use of anti-virus software, the Storm Code can be put to rest. But with the constant code morphing and changes in the code, coupled with encryption and code packing, the Storm Code has made itself a difficult moving target to catch. Examination of a version of Storm Code to determine which AV software detects it and how the AV classifies the code was performed by James Daugherty26 by sending his copy to VirusTotal.com. Not all AV engines classified the Storm Code as malware, and there are some variations in how each engine identified the malware when it was determined as malware.

Malicious Software Removal Tool (MSRT) The MSRT is distributed as part of the monthly Microsoft Security patches that are released on the now infamous “patch Tuesday”. According to a Computerworld article published on April 22, 2008 Microsoft has put a large dent in the Storm infections with claims of disinfection and removal of over 500K storm infected computers in the last 4 months of 200727.

Today’s BOTs Joe Stewart, director of malware research at SecureWorks Inc., presented his survey at the RSA Conference, which opened Monday in San Francisco. The survey ranked the top 11 botnets that send spam. By extrapolating their size, Stewart estimated the bots on his list control just over a million machines and are capable of flooding the Internet with more than 100 billion spam messages every day28. Joe’s table from the article is shown below.

Note that Strom has taken the #5 position in the list. It would have been capable of being #1 except that these are current numbers for 2008 and the MSRT had cleaned up most of the storm systems already. Without the MSRT, Storm would have been #1 with possibly more than 500K systems. It is also stated that although the Storm botnet is listed as 85K, only about 35K machines were capable of sending SPAM, i.e. not all machines in the Storm hierarchy were SMTP systems.

Messagelabs View Messagelabs is a company in the anti-spam space. They provide a managed service to service a company’s e-mail, and include services such as content filtering, anti-spam, anti-virus, image control and e-mail

Botnet # of bots Spam capability 1 Srizbi 315,000 60B/day 2 Bobax 185,000 9B/day 3 Rustock 150,000 30B/day 4 Cutwail 125,000 16B/day 5 Storm 85,000 3B/day 6 Grum 50,000 2B/day 7 Onewordsub 40,000 Unknown 8 Ozdok 35,000 10B/day 9 Nucrypt 20,000 5B/day 10 Wopla 20,000 600M/day 11 Spamthru 12,000 350M/day



15

encryption. Competitors of Messagelabs include Postini (recently acquired by Google) and FrontBridge (Acquired by Microsoft). Messagelabs (and its competitors) have a unique view as they can see and track all e-mail entering and leaving a company, as these services are usually placed at the gateway and monitor Internet e-mail entering through the DNS MX record. Messagelabs has been very vocal in reporting on spam trends based on its observations. According to a May 1, 2008 IT News article29 Messagelabs now estimates the botnet at approximately 100,000 compromised computers, down from previous estimates of two million. In this article Messagelabs credits the MSRT for this decrease. Messagelabs has in the past estimated the number of infected nodes to be between 1 and 2 million, while other researchers has estimated the infections between 1 and 5 million or more. The bottom line is that the Storm Code has been so stealthy, that probably no one but the bot herder has any idea how big the network was.

It Ain’t over till it’s over According to a Symantec Posting30 three (3) new fast-flux domains for Peacomm (a.k.a. Storm) were registered in early May. Some of the discussions in other areas were guessing that this was in preparation of a Mother’s day holiday, but there has been no reported activity of any such campaign.



16

Dynamic Analysis

P2P Analysis I used the tool WireShark for this analysis. Before releasing the worm, I activated a capture and allowed it to run while the code was activated. At first, it was confusing, especially when I set the filter to “edonkey”, because what I received was:

If I didn’t use the filter, my output looked more like:

In the first trace, the reason why eDonkey protocol was filtered was because UDP port 4665 was used as either the source or destination port. UDP port 4665 is the eDonkey2000 Server Messaging Default Port. However, all of the clients in this case use random ports, as we can see from the trace my instance of the worm used UDP port 7288.



17

However, we see the same payload in all of these messages being sent out to the Internet by this Storm instance.

Now, becoming more proficient in WireShark use, I force the protocol to be edonkey, and followed communications to one IP address.

We are doing communications with the eDonkey protocol with 83.97.181.149. The use of the IP Query is to find other overnet peers.



18

A connect/reply message, in this case, returns 20 overnet peers, which are expected to be other infected machines, infected with Storm. We later see in the network trace connections to various peers that were returned, as an example, the first peer 82.234.207.68



19

Appendix

31Figure 1: Summary of newsworthy Storm outbreaks (January through September 2007) Date Spam Tactic Jan 17, 2007 European Storm Spam April 12, 2007 Worm Alert Spam June 27, 2007 E-card (applet.exe) July 4, 2007 231st B-day Sept 2, 2007 Labor Day (labor.exe) Sept 5, 2007 Tor Proxy Sept 10, 2007 NFL Tracker Sept 17, 2007 Arcade Games Feb 14, 2008 Valentine.exe

Figure 2: Aliases

• Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure) • CME-711 (MITRE) • W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee) • Troj/Dorf and Mal/Dorf (Sophos) • Trojan.DL.Tibs.Gen!Pac13 • Trojan.Downloader-647 • Trojan.Peacomm (Symantec) • TROJ_SMALL.EDW (Trend Micro) • Win32/Nuwar (ESET) • Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare) • W32/Zhelatin (F-Secure and Kaspersky) • Trojan.Peed, Trojan.Tibs (BitDefender)

32Figure 3: The malicious executables are distributed in spam messages and web sites using one of the following filenames:

ecard.exe msdataaccess.exe applet.exe video.exe full video.exe full text.exe full clip.exe flash postcard.exe full story.exe read more.exe tor.exe labor.exe tracker.exe arcadeworld.exe superlaugh.exe krackin.exe halloween.exe



20

sony.exe stripshow.exe happy2008.exe happy-2008.exe happynewyear2008.exe withlove.exe with_love.exe valentine.exe kickme.exe funny.exe foolsday.exe stormcodec.exe stormcodec8.exe valentine.exe

33Figure 4: Emails arrive with the following subject lines:

You've received a postcard from a Classmate! You've received an ecard from a Mate! You've received a greeting card from a Classmate! Virus Activity Detected! Malware Alert! You've received an ecard from a Neighbour! You've received an ecard from a Worshipper! You've received an ecard from a Partner! You've received a greeting card from a School mate! You've received a postcard from a School friend! You've received a greeting card from a Neighbour!

Figure 5: A snip of the spooldr.ini file after creation on disk

Figure 6: Netstat showing SMTP connections



21

Figure 7: Wireshark trace showing SMTP connection attempts



22

Figure 8: DNS Queries for MX and mail server lookups:

34Figure 9: Capabilities

• Spam (implemented via templates) • Spread (using spam) • ICMP Echo flood • TCP SYN flood • Proxy connections • Download and executed file • Update • Checks for VM environment • Anti-tampering anti-debugging awareness • Security Software Disablement • Rootkit • Evasion

35Figure 10: Malicious Activities

• "Pump and Dump" stock spam. This is the most common and lucrative. It's where some criminal buys stock, then drives the stock price up with the spam. Enough people (suckers) receiving the spam believe it buy the stock, driving up prices. This is very profitable and pre-laundered money

• Phishing email (not as lucrative as Pump and Dump) • DDos against targeted groups and organizations (political) • Automatic DDoS of researchers probing Storm proxies • Pharmacy SPAM

Figure 11: Ollydbg Thread List



23



24

Figure 12: SMTP Buffered Record for http://bestselectrolyteeddrugs.com



25

Figure 13: Web page at http://bestselectrolyteeddrugs.com

Figure 14: Web page at http://inexpensiveedrugsonline.com



26

Figure 15 Function 1 – Login Record

Figure 16 Function 3 – Request List of DDOS Targets

Figure 17 – Function 6 – Request Update



27

36Figure 18 – Storm Functions

37Figure 19 – Zlib zlib is a software library used for data compression. zlib was written by Jean-loup Gailly and Mark Adler and is an abstraction of the DEFLATE compression algorithm used in their gzip file compression program. The first public version, 0.9, was released on 1 May 1995 and was originally intended for use with libpng image library. It is free software, distributed under the zlib license.



28

References 1 http://en.wikipedia.org/wiki/Kyrill_(storm) 2 http://www.priveon.com/dmdocuments/PV-A-070006A.pdf CME-711 (Stormworm) Analysis and Identification James Daugherty PriveonLabs 3 http://www.sec.gov/rss/your_money/pump_and_dump.htm 4 http://www.gss.co.uk/news/article/4180/go Storm Worm Gets Smarter ComputerworldUK July 27, 2007 5 http://isc.sans.org/diary.html?storyid=3190 E-cards don’t like virtual environments 07/26/2007 Bojan Zdrnja 6 http://www.beskerming.com/commentary/2007/07/27/234/Storm_Worm_Employs_VM_Detection 07/27/2007 7 http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf, A Multi-perspective Analysis of the Storm (Peacomm)Worm, Phillip Porras and Hassen Saıdi and Vinod Yegneswaran, Computer Science Laboratory 8 http://www.avertlabs.com/research/blog/?s=Nuwar 9 http://www.antirootkit.com/articles/eye-of-the-storm-worm/Peacomm-C-Cracking-the-nutshell.html Peacomm.C Cracking the nutshell Frank Boldewin 10 http://www.theregister.co.uk/2007/10/25/storm_worm_backlash/ Storm Worm retaliates against security researchers 10/25/2007 11 RSA Conference 2008 Presentation RR-402 by Jon Stewart, Secureworks 04/11/2008 12 http://en.wikipedia.org/wiki/Kademlia 13 RSA Conference 2008 Presentation RR-402 by Jon Stewart, Secureworks 04/11/2008 14 http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt Brandon Enright 15 http://en.wikipedia.org/wiki/Drive-by_download 16 RSA Conference 2008 Presentation RR-402 by Jon Stewart, Secureworks 04/11/2008 17 RSA Conference 2008 Presentation HT-107 by Patrick Peterson Iornport 04/08/2008 Into the Eye of the Storm 18 http://en.wikipedia.org/wiki/Nginx 19 http://wiki.codemongers.com/Main 20 http://www.schneier.com/blog/archives/2008/01/fbi_knows_ident.html 21 http://www.icann.org/committees/security/sac025.pdf SAC 025 SSAC Advisory on Fast Flux Hosting and DNS 22 http://www.secureworks.com/research/threats/view.html?threat=storm-worm 23 http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf, Elia Florio and Mircea Ciubotariu 24 http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf 25 http://www.honeynet.org/papers/ff/fast-flux.html Know Your Enemy: Fast-Flux Service Networks An Ever Changing Enemy The Honeynet Project & Research Alliance Last Modified: 13 July, 2007 26 http://www.priveon.com/dmdocuments/PV-A-070006A.pdf CME-711 (Stormworm) Analysis and Identification James Daugherty PriveonLabs 27 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079653&source=rss_topic125 28 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9076278 ComputerWorld 04/09/2008 29 http://www.itnews.com.au/News/75105,storm-botnet-blows-itself-out.aspx Storm Blows Itself Out 05/01/2008 Robert Jaques 30 https://forums.symantec.com/syment/blog/article?message.uid=320846 31 http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf, A Multi-perspective Analysis of the Storm (Peacomm)Worm, Phillip Porras and Hassen Sa¨ıdi and Vinod Yegneswaran, Computer Science Laboratory 32 http://www.priveon.com/dmdocuments/PV-A-070006A.pdf CME-711 (Stormworm) Analysis and Identification James Daugherty PriveonLabs 33 http://www.priveon.com/dmdocuments/PV-A-070006A.pdf CME-711 (Stormworm) Analysis and Identification James Daugherty PriveonLabs 34 http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt Brandon Enright, UCSD ACT/Network Operations 35 http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt Brandon Enright, UCSD ACT/Network Operations 36 RSA Conference 2008 Presentation RR-402 by Jon Stewart, Secureworks 04/11/2008 37 http://en.wikipedia.org/wiki/Zlib

Analysis of the Storm Worm

Internet

Transcript of Analysis of the Storm Worm