“Storm” Worm Makes Anti-Virus Programs Brain Dead

The ever-mutating, ever-stealthy Storm worm botnet is adding yet another trick to its vast repertoire: Instead of killing anti-virus products on systems, it’s now doing a modification to render them brain-dead.

The finding was made by Sophos and was mentioned by a security strategist for IBM Internet Security Systems. According to Sophos, the Storm botnet—Sophos calls it Dorf, and it’s also known as Ecard malware— makes programs that interact with Windows, tell the virus every time a new program is started.

The virus then checks the program that started to see if it was an anti-virus or anti-spyware program, and if it is, it will either stop the program from running, or modify the program so that it can’t detect the virus.

Then, when the anti-virus programs run, they simply tell the user everything is ok.

The strategy means that users won’t be alarmed by their anti-virus software not running.

The anti-virus is running but brain-dead, which is worse than shutting it off, since it then opens the door for all sorts of other virus and spyware programs to infect the system.

This new behavior the latest evidence of why Storm is the scariest and most substantial threat security researchers have ever seen. The Storm virus is patient, it’s resilient, it’s adaptive in that it can defeat anti-virus products in multiple ways. It changes its virus footprint automatically every 30 minutes.

It even has its own mythology: Composed of up to 50 million zombie PCs, it has as much power as a supercomputer, the stories go, with the brute strength to crack Department of Defense encryption schemes.

In reality, security researchers in the know peg the size of the peer-to-peer botnet at 6 million to 15 million PCs, and not on par with a supercomputer. And it can’t break encryption keys. Still, it is very dangerous.

‘Storm’ Trojan Hits 1.6 Million Computers; General Virus Activity at an All Time High

It is mission critical that you keep your antivirus subscription current and your software up to date. Many small business owners think that because they purchased the software one time, they’re protected.

Most anti-virus software requires an annual subscription. And, if you don’t renew, you’re not protected. Too many business owners are finding this out the hard way.

For example, the Trojan horse that began spreading during the last week of January has attacked at least 1.6 million PCs, with no signs of stopping. In addition, Windows Vista is also vulnerable to the attack.

Originally dubbed the “Storm worm” because one of the subject heads used by its e-mail touted Europe’s recent severe weather, the Trojan’s author is now spreading it using subjects such as “Love birds” and “Touched by Love.”

The Trojan, meanwhile, piggybacks on the spam as an executable file with names ranging from “postcard.exe” to “Flash Postcard.exe.”

If your computer’s anti-virus software is out of date, or if you’ve not renewed your anti-virus subscription, your system could easily get infected by a seemingly innocent e-mail.

By Symantec’s estimate, the Storm Worm is the most serious Internet threat in 20 months.

As with most large-scale Trojan attacks, the goal seems to be to acquire a large botnet, or collection of compromised PCs, that can be used to send traditional scam spams or for later identity mining.

Windows 2000 and Windows XP are vulnerable to all of the Storm Worm variations, but Windows Server 2003 is not; the Trojan’s creator specifically excluded that edition of Windows from the code. We presume the malware writers didn’t have time to test it on this operating system.

New computer viruses are discovered on a daily basis. In order to remain effective, your antivirus software needs to be regularly updated, generally once a week.

Make sure you know how to check your antivirus software for updates, and spot check automatic updates to make sure they are, in fact, updating.

If your version of anti-virus software doesn’t automatically update (many free or low cost programs do not), schedule reminders on your computer so updates are performed regularly.