'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable - InformationWeek
Software // Enterprise Applications
03:43 PM
Free Yourself from Legacy Apps
Jun 08, 2017
They've served their purpose years ago, but now they're stretching your IT budget and increasing s ...Read More>>

'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable

The goal of the Trojan seems to be to acquire a large botnet, or collection of compromised PCs, that can be used to send traditional scam spams or for later identity mining.

The Trojan horse that began spreading Friday has attacked at least 1.6 million PCs, a security company said Tuesday.

In addition, it appears that Windows Vista, the new operating system Microsoft will launch next week, is vulnerable to the attack.

Originally dubbed the "Storm worm" because one of the subject heads used by its e-mail touted Europe's recent severe weather, the Trojan's author is now spreading it using subjects such as "Love birds" and "Touched by Love," said Finnish anti-virus vendor F-Secure. The Trojan, meanwhile, piggybacks on the spam as an executable file with names ranging from "postcard.exe" to "Flash Postcard.exe," more changes from the original wave as the attack mutates.

The first several spam blasts of the Trojan -- which was named "Peacomm" by Symantec -- came with current event subject heads, including ones claiming to include video of a Chinese missile attack or proof that Saddam Hussein lives, and bore attached files such as "video.exe."

"Peacomm has, not surprisingly, evolved. The attachments have new file names, some files [dropped onto the PC] have changed, and the subject lines of the spam are also changing," noted Amado Hidalgo, a researcher with Symantec's security response group, in an entry on the team's blog.

By Symantec's reckoning, Peacomm is the most serious Internet threat in 20 months. Monday, it raised the alert level to "3" in its 1 through 5 scale; the last time the security software developer tagged a threat as "3" was for Sober.o in May 2005.

So far, Symantec has received 1.6 million detection reports from its sensor system. "This means Peacomm has hit 1.6 million systems in the past seven days," a company spokesman said in an e-mail. An accurate number of infected machines isn't yet known.

The most recent variants of the Trojan include rootkit cloaking technologies to hide it from security software, said both F-Secure and Symantec. The latter, however, pointed out that flawed rootkit code voids some of the Trojan maker's plans. "The rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again," said Hidalgo. A personal firewall also offers some protection from the rootkit, as it will warn you that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871.

Peacomm's turn to rootkits brought out comparisons to Rustock, a year-old family of Trojan horses that has become a model of sorts for hackers. Rustock, as Symantec warned in December 2006, relies on rootkit technology, but adds an ability to quickly change form as another evasion tactic.

"It's similar to Rustock," acknowledges Dave Cole, director of Symantec's security response team, "but [Peacomm is] not nearly as technically sophisticated."

As with most large-scale Trojan attacks, the goal seems to be to acquire a large botnet, or collection of compromised PCs, that can be used to send traditional scam spams or for later identity mining.

Symantec's researchers said that PCs hijacked by Peacomm send "tons and tons of penny stock spam" in a typical pump 'n' dump scheme. "During our tests we saw an infected machine sending a burst of almost 1,800 e-mails in a five-minute period and then it just stopped," said Hidalgo. "We're speculating that the task of sending the junk e-mail is then passed on to another member of the botnet."

Windows 2000 and Windows XP are vulnerable to all the Peacomm variations, but Windows Server 2003 is not; the Trojan's creator specifically excluded that edition of Windows from the code. Symantec's Hidalgo took a guess why. "We presume the malware writers didn't have time to test it on this operating system."

Microsoft's soon-to-release-to-consumers Vista, however, does appear at risk, added Symantec Tuesday. "It appears most if not all variants could execute on Vista," the spokesman said. "The only way the Trojan would be unsuccessful is if somehow Vista is able to detect/prohibit the e-mail. This seems unlikely."

Antivirus companies have updated their signature databases with fingerprints that identify and then delete (or quarantine) the Trojan as it arrives. Other defensive advice includes filtering traffic on UDP ports 4000 and 7871, update anti-spam products, and configure mail gateways to strip out all executable attachments.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll