Friday, January 11, 2008 2:30 PM
cmosby
Storm Gets New Toys for Christmas | TrendLabs | Malware Blog - by Trend Micro
January 3rd, 2008 by Robert McArdle
The latest wave of Storm (See previous posts here, here, here and here) has thrown up some interesting new techniques to make analysis even more difficult.
HIDDEN LINKS
The first is quite clever, specifically targeted at any security company monitoring the Storm botnet. When looking at the latest Web page used by the threat, we noticed a number of commented out HTML hyperlinks:
< !– a href=”fck2008.exe” –>
< !– a href=”fck2009.exe” –>
These in turn where followed by a small fragment of JavaScript:
< script language=”javascript”>
document.write( unescape( ‘%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%5F%32%30%30%38%2E%65%78%65%22%3E%0D%0A’ ) ); click here
When decoded the script above directs the user to download from:
< a href=”happy_2008.exe” >
The two commented links are obviously being used to fool any automated crawlers used by security companies. Most crawlers will check all of the Storm pages for any presence of links (a href) and follow these links to download new samples. A normal victim will access the site, be completely unaware of the commented out links and download the actual binary (happy_2008.exe). However, the crawler may not see the obfuscated link and instead access the two fake ones.
At this point the attackers know that they are dealing with a “non-legitimate” user and can block their IP, launch a DDoS attack against them, or even serve them up an older version of the threat so that the automated crawler does not think the threat has been updated.
ROOTKIT IMPROVEMENTS
Previous versions of the Storm family have had 2 components: an EXE that does the main work and a SYS file to hide it. The latest version however, has done away with the EXE and all operations are now carried out by the SYS file alone. Previously, researchers have been able to disable the SYS file, hence preventing the threat from hiding its activities. This is no longer an option as disabling the SYS file disables the entire threat.
In addition, while anti-rootkit tools, such as Icesword, still reveal the call hooked by a rootkit (which can then be unhooked), the threat has been upgraded to stop Icesword (and others) from revealing what processes, ports, files, etc., it is hiding - again, targeted specifically at making an analyst’s job more difficult. To make things even more fun, the SYS file has a new random name every time a machine is infected.
Neither of these techniques have any real additional effect on the normal victim of the attack, but by making analysis more difficult the authors obviously aim to maximize their malware infection windows.
And here I was thinking it would be a quiet first week back to the office after the holidays :(