"Storm" trojan, an evolution in progress

It’s been a few days since our last post on the subject of Downloader-BAI, and the massive seeding is still continuing with dozens of new variants each day.

The first interesting bit in this event is watching the authors of this malware cobbling separate pieces together. Some time this weekend, this Downloader trojan was being found in the droppings of a mass mailer, W32/Nuwar@MM which had previously been tied to a couple of other Downloader trojan familes. So now, being tied with a mass-mailer as well as a mass seeding, this trojan has become more self-sustaining in its distribution. It’s unlikely, at this point, that this will be dying down completely any time soon.

Another thing that’s particularly notable, from a technical perspective, is that this collection of trojans is coordinating itself by way of a peer to peer network. This is something we’ve been seeing malware authors playing with more and more lately, with this one arguably being the most successful. W32/Nugache and the “Phatbot” variant of W32/Gaobot both attempted coordinating by P2P through Gnutella cache servers, but they were very limited in the number of bots that could be in a given botnet. Malware authors seem to understand that having any single point of failure means that at some point, they will in fact fail and have to rebuild their botnet. By having a “headless” botnet, they can self-heal more effectively.

Most notable of all with this event, with Downloader-BAI and Nuwar, is the social engineering tactics being used in this seeding. W32/Nuwar gained quite a bit of notoriety during the holidays, for its variety of holiday-specific subject lines. Now Downloader-BAI is being seeded with a list of subject lines, the majority of which are intended to ruffle feathers or cause concern in certain specific countries, for example:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• British Muslims Genocide
• 230 dead as storm batters Europe.
• Radical Muslim drinking enemies’ blood.
• Sadam Hussein alive!
• Russian missle shot down USA satellite
• Russian missle shot down Chinese aircraft
• Sadam Hussein safe and sound!
• The commander of a U.S. nuclear submarine lunch the rocket by mistake.
• Hugo Chavez dead.
• Fidel Castro dead.
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Venezuelan leader: “Let’s the War Begin”.

Personally, I find messages making outlandish claims something to be deleted without further ado. (Especially those messages that have file-attachments, and whose spelling is rather suspect) But for some reason this tactic is still proving successful. None of these techniques are particularly new or innovative, and if one were employing basic security measures this could be avoided. But due to the combination of huge numbers of new variants and social engineering tactics, it’s working for these miscreants.