While Trojan.Peacomm (aka Storm Worm) received its alias because of unprecedented storms that battered Europe, the threat deserves the name more because Peacomm itself is the perfect storm. Peacomm is a combination of an open source email worm, a file infecting virus, a polymorphic packer, a spam relay, a rootkit, and a botnet that operates over a peer-to-peer network. In the history of malicious code, we have never seen a malicious threat that contains a handful of these characteristics let alone all of them. Thus, the perfect storm.
We've been tracking Peacomm over the week and wanted to provide a high level summary of how Peacomm spreads and some of the unique and interesting aspects of Peacomm, including how it uses peer-to-peer communication with the ultimate goal of sending out spam.
In late December and early January, the authors of Peacomm took an open source email worm known as W32.Mixor and embedded Peacomm inside. The source code for Mixor has been publicly available since summer 2006 in a popular virus writing e-zine. Since Mixor is an email worm, it is able to spread on its own, but it now carries along a dangerous payload in the form of Peacomm. When computers become infected with this modified version of Mixor, they also become infected with Peacomm.
Peacomm immediately attempts to hide itself on the system by injecting itself into services.exe and using a kernel mode rootkit to hide its files, registry keys, and active connections. Then, the barrage of UDP traffic begins. Peacomm has implemented the Overnet peer-to-peer protocol commonly used by peer-to-peer clients such as eMule, MLDonkey, and the defunct EDonkey2000.
Peacomm registers itself on the peer-to-peer network using a hard-coded list of initial peers and then sends out a search request for a particular hash. Interestingly, almost all of the nodes on the hard-coded list are Unix-like machines running a version of MLDonkey. Based on feedback from administrators we were able to contact, these machines do not appear to be compromised machines, but machines that were already running MLDonkey and simply chosen by the author as entry points into the peer-to-peer network. Almost all of these nodes are located in Europe.
The search query is propagated via the peer-to-peer network until one of the nodes replies with a match, including a bit of encrypted metadata. This metadata provides a download site where Peacomm can find additional files to download and execute. The metadata is initially provided by the author of the threat via some node somewhere in the peer-to-peer cloud. When download sites change, the author can simply update the metadata with the new download location and this will be propagated through the peer-to-peer network to infected hosts.
Peacomm uses this method to download programs that send out spam and more importantly new copies of itself and new copies of Mixor with Peacomm embedded inside. This completes the chain and allows the authors to automatically update Peacomm with new functionality and ensure the new version spreads to even more victims via new versions of Mixor.
The whole goal of Peacomm is to send out spam. Initially, we recorded bursts as high as 1,800 emails in five minutes, but since that time, the spam has slowed down. Now, we see bursts of 1,000 emails an hour, many of which are pump-and-dump stock spam.
Using the peer-to-peer network, the authors of Peacomm can instruct infected machines to download new functionality at any time so while we expect more of the same from the authors, we are keeping a close eye on any new developments.