W32/Stration – The new "old" kid in town

Today’s mass mailers are often seeded from thousands of zombie drones connected to botnets. Time on a botnet can be bought, for the right price, to launch the next mass mailer variant. Then when these zombies are instructed to download and execute a worm, a mini outbreak can be created when thousands of machines over the internet simultaneously start mailing copies of the worm. However, these artificial outbreaks die by themselves when antivirus vendors come out with updated detection for the worm.

By using enticing subjects and message bodies and spoofing the ‘from’ address to appear from trusted sources, mass mailers have traditionally depended on social engineering techniques to get a victim into executing a malware attachment. Given that mass mailers seem out of vogue these days with malware authors focusing on more effective infection vectors like operating system or browser vulnerabilities, it’s nostalgic when we see a new “old” kid in town.

W32/Stration is a mass mailer that has been around since August this year and is one of the few active and evolving mass mailers in recent times. Very typical of the mass mailing variety, W32/Stration harvests email addresses from an infected machine and mails a copy of itself using some convincing message bodies.

A sample spoofed email message is as follows:

“Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. Please install updates for worm elimination and your computer restoring.”

Leaving out the poor grammar, such a dire message appearing to come from the administrator of your company could be stunningly effective in getting uninformed users to take the bait.

W32/Stration uses a self updating mechanism to keep itself going. Infected machines connect to a hard coded url in the body of the worm to download possibly a newer version of the worm and execute it. This ensures that worm remains undetected for an extended period of time and ensures a longer shelf life in the wild.

The author seems to be investing considerable time and effort into unleashing newer variants of W32/Stration on to the internet. But it’s surprising that no lucrative payloads like adware or password stealing trojans have been seeded onto infected machines. One can only wonder about the objective behind developing and releasing newer variants of this worm. Is the current wave being used to build a massive pool of infected computers for a larger scale of attack on the internet? Sadly, the motive behind unleashing this worm is still unknown at the time of writing this blog. McAfee Avert Labs continues to keep a close eye on future developments of W32/Stration.