ÏÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÐÒÉÍÅÞÁÎÉÅ J. Ullrich
----------------------------
--Storm Worm Evolves, Launches Retaliatory Attack
(October 24 & 25, 2007)
The Storm worm (sometimes called Peacomm) has the capacity to launch
targeted counterattacks against the systems of users trying to probe its
command-and-control servers. Storm is able to detect the probes and
retaliate by launching distributed denial-of-service (DDoS) attacks
against the uninvited visitors. Researchers have been wary of
publicizing the results of their efforts to understand the worm and stop
its harmful behavior. Storm has the capability to interrupt
applications, including security applications such as Anti-Virus
software, as they are booting up and either shut them down or render
then inert so that they appear to be running but are in fact doing
nothing.
[Editor's Note (Ullrich): The Storm worm goes out of its way to fight
malware researchers. It has always used multiple anti-reverse
engineering techniques. This retaliatory behavior was first seen a few
months ago as malware researchers who downloaded the trojan multiple
times started to be the target of these likely automated attacks. One
attack works as follows: Whenever you port scan a storm-infected node,
or if you download the malware several times, a subset of the storm
network will launch a denial of service attack against you. Typically
it is an ICMP flood that can last a day or so.]
