Strengthening Storm – Almost Hurricane?

The new Storm worm variants being seenthese days have yet again evolved and are gaining strength. Well, atleast in encryption technology. The P2P UDP packets (made up of theheader and payload) are now encrypted using a 40-byte key. As ourfriends at Secure Works pointed out here,this is definitely good news for network administrators who have todeal with legitimate P2P overnet traffic. Here are some snapshotsshowing the P2P traffic before and after encryption.

Before (click for larger image)

After (click for larger image)

The encryption is trivial and isn't the only new thing found in thisvariant. It seems to have some new techniques for propagation. Firstly,it is able to scan the file system and drop an executable into anyfolder with at least one .exe file. Secondly, the worm is able toharvest email addresses from the file system and send spam to thoseaddresses. Lastly, it is able to search for .htm, .html, and .php filesand inject malicious IFRAME code into them. We believe that this partof the worm is still under development due to the buggy nature of thecode we are seeing. The IFRAME tag isn't hard coded. We suspect thisinformation must be coming from the P2P C&C.

We were able to use our favorite search engine to look for one ofthe known tags within the IFRAME and we saw some sites that werealready infected. These sites each lead us to a fast-flux domain of theStorm worm. Considering how much this worm has evolved and where it isat currently, I think its time for us to escalate this worm tohurricane category.

I should remind users that, as expected, this variant of "Hurricane" is already detected by Symantec products as Trojan.Packed.13.

* Thanks to Elia Florio and Kaoru Hayashi for their amazing analysis.