The authors of the Storm worm (also know asTrojan.Peacomm) have shown an uncanny knack of changing or shedding keycomponents of the threat in order to enhance its persistence andspread. This week saw the latest incarnation of the threat, Trojan.Peacomm.D,reveal itself as halloween.exe or sony.exe. What is most interestingabout this latest variant of the Storm worm is that its authors haveremoved some key functionality that was present in the previousvariant, Trojan.Peacomm.C. Specifically, the threat no longer;
1. infects other legitimate drivers on the system. Previous variantsinfected drivers such as Tcpip.sys and Kbdclass.sys. This was astealth-like feature used by the threat to start early with theoperating system and without loading points in the Windows Registry.
2. injects itself into legitimate processes like Explorer.exe and Services.exe.
Instead the threat now relies less on legitimate components on theoperating system and has new proprietary components to do its dirtywork. The driver associated with the latest variant, noskrnl.sys, workshand in hand with the user mode noskrnl.exe to provide the samestealth-like capabilities that involved more components, bothillegitimate and legitimate, in the past.
So why, may you ask, have the Storm authors changed tactics? Whywould the authors tamper with the underlying architecture of the Stormworm? Aside from the fact that it demonstrates a particularruthlessness on the behalf of the authors by offloading underperformingparts of the threat, there are a number of possible reasons why keyfunctionality from the previous variant was stripped out and discarded.The changes suggest that the authors wanted to discard some externaldependencies they had on legitimate system components. This may havebeen in an effort to reduce complexity and hints that perhaps therewere stability issues with the previous variant in terms ofmanipulating legitimate system drivers. In other words the authors aregoing back to basics. They are streamlining the threat, making it lesscomplex, and more stable. It is also likely that by simplifying theunderlying architecture that it will be easier to update it in future.
The sustained development of the Storm worm (incorporating reviewcycles) indicates that we will continue to see solid infection ratesgoing forward. So, unlike the natural phenomenon, this storm continuesto huff and puff and it doesn’t look like it is petering out anytimesoon. In terms of the latest variant, both holloween.exe and sony.exeare detected as Trojan.Packed.13 and the low level driver component, noskrnl.sys, is detected as Trojan.Peacomm.D.
*Thanks to Elia Florio for his analysis of this threat.