News broke recently that there’s a new Storm Worm doing the rounds. Late last week a detailed analysis of the new Storm Worm malware variant has been posted by The Honeynet Project at their website.
Based on the analysis I conducted over the weekend, this particular threat is indeed very similar to the old Storm Worm – with at least 67% of the code being the same – and the most notable difference being that the P2P functionality of the old version has been dropped from the new version. The command protocol is now reliant upon HTTP instead of simple TCP connections.
Now let’s go to the juicy stuff, analyzing the CnC.
From the malware samples I’ve obtained, I was able to extract two critical CnC’s. Let’s call them CnC Domain B and CnC Domain C. Based upon our historical data trove, Domain B is also being used for CnC by other malware families – while Domain C is only being utilized by the new Storm Worm variant – at least for now.
The other malware families that utilize Domain B for CnC also make use of Domain A. This other domain is not utilized by the new Storm Worm variant (at least it’s not present in the malware samples I have had the chance to analyze so far). Domain A is being utilized by another family of botnet malware. For a graphical representation, please see Figure 1 below.
Figure 1: C&C Relationships with other Malware Families
From the figure,above, the lettered boxes show different malware families positioned within a timeline as to when we first uncovered them. The cloud represents the domains they utilize for CnC. So from here, a pattern is starting to emerge. It would appear that the botmaster’s campaign can be easily traced by overlapping CnC Domains.
In Dec 2009, a family of malware (Malware A) utilized Domain A as its CnC in an infection campaign. By the second month of 2010, multiple malware families materialized and utilized CnC Domain A together with a new CnC (Domain B). Then, by April 2010, the new Storm Worm variant was identified by security researchers and it utilized CnC Domain B, and no longer referenced Domain A for CnC. Instead it utilized a new CnC domain – CnC Domain C. If the pattern proves to be correct, we will see new malware families that will utilize CnC Domain C.
Another observation I’ve made is that there are multiple malware families – each of them probably with serial variants – utilizing a handful of CnC’s. This is obviously a continued source of headaches for anti-virus host-based solutions; not only in detection but also in clean up.
One important question to ask is “Will the new malware families used in future campaigns be detected by my AV host solution?”
The answer is, unfortunately, probably not. But one thing is certain, whatever malware families are used for the next few campaigns, the CnC domains will likely not change as much or as frequently as the malware variants themselves. Disrupting the CnC – the command tether linking the infected host and the botmaster together - is where you need to focus your protection nowadays.
– Christopher Elisan, Senior Research Analyst