Storm Worm of a thousand faces Authors of a particularly nasty piece of malware known as Storm Worm have yet again shifted their tactics. They are creating a flood of email hoaxes that try to install a bogus "applet" so victims can redeem membership benefits to clubs related to music, online dating and other interests. The new emails bear subject headings …
Perhaps it will implode itself.
Since there's no point in infecting an already infected machine I'd imagine it checks for itself. I'd guess it might do that by scanning potential hosts for itself to make sure it's not already there, which might eventual result in it DoS itself to death.
With any luck it will disappear up its own arse.
This wisdom comes with the aid of a bottle of cheap wine so I excuse myself for any implicit stupidity.
Like I say, I'm no expert; but the most virulent of real (biological) viruses tend to wipe themselves out, so we can but hope.
Sorry John, the vino has let you down. Storm doesn't spread directly host-to-host but by old fashioned email. So all it is likely to DoS are mailservers. Granted, if it drags down all the mailservers on the net it will stop spreading, but this won't be much comfort.
Seriously though, researchers have been saying for years that AV companies need to move away from signatures. I can recall reading in this very organ an article advocating a whitelist approach rather than blacklisting known virii some years ago. Now we have polymorphic malware in the wild, and if the technique becomes widespread and sophisticated then conventional AV will be basically useless.
Go into your spamassassin config, find the rule called "NORMAL_HTTP_TO_IP", change it's score from 0.7 (default) to 5000.
restart spamassassin.
done. I have done this on all the mail servers I take care of and none of my clients have any idea what all the fuss in the press is about.
easy
And when malware slips into something more comfortable and morphs into palware will it be embraced as Viable Open Source Servering to Community rather than Ego? Will its ID grow into AI Super Ego? Power with ever more Self Control.... to Plan a Stellar Path of Immaculate Choice?
You can stop these mails just as you would stop any other mails originating from nonconformant mailers. OTOH, greylisting seems to be losing its effectiveness (well, duh, of course it is). I use an absence of MX record to stop them coming to my primary account, but they still get through forwarders.
Here are a couple of other ideas ...
1. Fuzzy checksum the emails. Sure the binaries are morphing all the time, but surely all these emails have similar form? Haven't checked yet, but I'd be willing to bet Vipul's Razor can detect all major variants of these by now. Perhaps the AV industry should focus more on the vector and less on the actual payload. ClamAV has a good general-purpose scanning engine too, perhaps it could be adapted to scan vanilla plaintext emails for these telltail signs? Would be great for the milter interface - could reject the DATA outright (554 5.7.0 Go away, you f**king moronic end-luser.)
2. Internet mail is abused again. So how long is it before port 25 blocking becomes mandatory? I don't mind at all, provided that I can immediately and easily unblock myself without question. It goes without saying, of course, that the process requires authentication and can't easily be automated by a computer program, although I suspect that wouldn't be too long in the works before the VXers break that, too.
Cheers,
Sabahattin
(Google me, if you don't believe it.)
This thing is a Trojan. It doesn't spread by itself at all - not by e-mail, not by any other way. It gets *sent* to the victim by the attacker. However, the "attacker" is just a compromised luser machine - part of a botnet used to send other kinds of e-mail (like spam), too. Attacking it is of no use.
The e-mails themselves contain an URL to a site where the malware resides. However, this is usually just a compromised site, too, so attacking it isn't of much use, either. At best, it's worthwhile contacting the webmaster, although sometimes the webmaster doesn't care. Sometimes the hosting sides use fast-flux DNS to disguise themselves, so getting hold of the particular host can be tricky.
As for those who think that "signature-based" (a *very* inaccurate term) scanning is helpless against this thing - see this ("Nuwar" is an alternate name for this very same family of Trojan horses):
http://www.avertlabs.com/research/blog/index.php/2007/08/15/keeping-up-with-nuwar/
Regards,
Vesselin
Hi, Doc [Dr. Vesselin Bontchev],
Does the response here tell you how easy it is to hide the Truth in the Open? Are you into Virtualised TelePortation within Quantum Communications Channels PGP2 Programming for Transparent Security? ....The Movement of IDers to Realisation Centres?
Isn't it?
Dozens of postcards, the last two sent by my parents from beyond the grave, were followed by emails from four strangers who claimed to know me well enough to want to provide links to pornographic pictures.
Then I got membership details for four sites that somehow I can't remember signing up for.
All variantions on the same theme.
Oh, BTW, those who proposed to block e-mails with IP-only URLs in them - the authors of these Trojan horses seem to have heard about this approach, too, and have changed their creation so that the approach no longer works:
http://feeds.feedburner.com/~r/McafeeAvertLabsBlog/~3/147411266/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
