Thursday, April 12, 2007

The Eye of the Storm

The recent massive spam run by the makers of the infamous “Storm Trojan” resulted in numerous variants hitting our honey pots. Dynamic re-packing and server-side polymorphism allows the creators of the "Storm Trojan" to create new binaries every few minutes. The variants are then spammed out using the strong de-centralized botnet they have created in an attempt to thwart signature based detections. The "Storm" botnet is several million computers strong, most of which are un-suspecting users who have become victim to the trojan's social engineering tactics.
( Source of the picture: sro.hse.gov.uk )

Newer attack vector…

The most recent variants are being spammed as encrypted zip file attachments via spoofed e-mails. The password for the encrypted zip is included as a GIF image within the e-mail. The GIF image also includes a message posing as a security patch being offered by some arbitrary Customer Support Center. This new variant employs numerous anti-debugging techniques in order to thwart analysis. It is also packed with a polymorphic packer.

The Intent…

The Trojan displays tactical use of social engineering techniques arriving as an attachment to an e-mail. The goal is to lure an un-suspecting user to execute the Trojan which would render the victim machine part of a huge botnet. The primary purpose of the botnet being to send out penny stock spam (also called pump-and-dump penny stock) or to initiate Distributed Denial of Service (DDoS) attacks. Subsequent versions of the Trojan were distributed by means of embedding it within an open source e-mail worm.

Shying away from IRC!!

The botnet that is being created communicates over a peer-to-peer network (P2P) for its Command and Control (C&C) rather than the traditional IRC communication. This ensures creation of a “headless” botnet that is not bogged down by a single point of failure. The Storm Trojan’s implementation of Web HTTP and P2P methods of communication are indicative of the shift toward stealthier means of building a botnet. Such a de-centralized network allows for data and information to be "sync-ed" among each of the nodes of the botnet and to any of the newer nodes that are being added to the botnet. Each of the infected nodes will also carry a "peers list".

What drives the Storm?

When the Trojan is executed, it drops a kernel mode driver (wincom32.sys) that it registers as a service via the Service Control Manager (SCM). Initial versions of this driver did not attempt to hide any files or registry entries but did include stealth in order to execute its payload. Subsequent versions of this driver program started to incorporate more and more rootkit like functionalities in order to hide registry entries, files, and active communication ports.

This driver program is instrumental in executing the Trojan’s payload. The payload is an embedded executable within the driver program. In order to execute the payload the driver employs stealth techniques. The payload is injected from kernel space into the user space of “services.exe” and scheduled for execution by queuing an Asynchronous Procedure Call (APC) for it. Due to this, there is no “visible” process executing the payload if we were to use tools such as Window’s Task Manager or Process Explorer. Initial versions showed significant network activity via newly opened ports (UDP traffic). Subsequent versions of the driver program incorporated rootkit techniques in order to hide files and registry keys (by hooking the Service Descriptor Table) as well as any active communication ports (by hooking IRP_MJ_DEVICE_CONTROL of the ‘\Device\Tcp’ object).

Digg This | Slashdot This | Add to del.icio.us

No comments: