Storm Trojan was worse than it should have been

The "Storm" attack made a big splash because people keep falling for social engineering and there was simply little else in the news, experts say.


Security Blog Log
With the bad guys increasingly resorting to quieter, more targeted attacks, it's been a long time since we've seen headlines about the massive spread of a worm or Trojan horse. Most security experts agree the days of Sasser-like attacks are over.

So when the so-called Storm Trojan started gaining traction last week, antivirus vendors were jolted into overdrive.

Symantec gave the malware a rare risk rating of three. The firm flags most malware with a rating of one or two. It also declared it the worst outbreak since 2005. F-Secure Corp. dedicated big blocks of space in its F-Secure blog to updates on the Trojan's spread. F-Secure even offered footage of its computerized world map so everyone could witness the malware's march across the globe.

But was this malware really worth the publicity it received? Opinions vary among security bloggers.

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:

TJX gets little sympathy from blogosphere

'Month-of' flaw projects come under fire

Adobe Reader flaws spook security experts

Mike Rothman, president and principal analyst of Security Incite in Atlanta, suggested in his Daily Incite blog that the malware got the big media headlines because of an otherwise slow news week.

"Nothing seems novel about it. It's just social engineering on steroids. More zombies, more bots, more spam," he wrote.

Rothman shared the assessment of security blogger Dancho Danchev, who described in his Mind Streams of Information Security Knowledge blog that the Storm coverage as a "frontal PR attack" among vendors.

"With all the buzz over the 'Storm worm' … it is almost unbelievable how hungry for a ground-breaking event the mainstream media is," he wrote. "Don't misunderstand me, protecting the end user from himself is a necessity, but over hyping this simple malware doesn't really impress anyone with a decent honeyfarm out there."

Besides, he noted, corporate email environments stopped allowing this type of incoming executable file through the gates a long time ago.

While that may be the case to a certain extent, other security experts -- including some of the vendors -- used their blogs to argue that all the attention is indeed justified.

The Symantec Security Response Center blog, for example, offered up a series of charts to document the malware's spread in the past week.

One graphic shows how the malware -- named Peacomm by Symantec -- has topped the charts and exceeded the spread of the "Happy New Year" [Mixor] worm despite getting a much later start. Symantec suggested there's a link between Mixor and Peacomm.

"While the first sample of Mixor.Q did not contain Peacomm, it did contain a simple downloader executable," Symantec said. "It is highly likely that there is a direct correlation between the number of Mixor infections and the later rise of Peacomm, considering that Mixor dropped Peacomm as a payload."

Allysa Myers of McAfee Avert Labs said in the organization's Avert Labs blog that she personally sees emails with outlandish claims as something to be deleted without further ado, especially if they include file attachments. "But for some reason this tactic is still proving successful," she wrote.

Danchev is correct to say most enterprises started blocking suspicious attachments at the gate a long time ago. That has certainly helped drive down to almost nothing the mass worm attacks that were common in the first half of this decade. But Myers also makes a valid point that a lot of people continue to fall for social engineering tactics that are more obvious to those of us with more security savvy.

When home users click on these malicious attachments, the bad guys take control of their PCs with bots and Trojans. Those machines can then be used to target enterprises with more sophisticated malware.

For that reason, IT professionals should take this Storm surge seriously, even if some of the media headlines appear hyperbolic.

Secunia reports an ActiveX flaw
Elsewhere, Danish vulnerability clearinghouse Secunia said in its Secunia blog that it has discovered a new ActiveX flaw that may affect audio and media applications from a variety of vendors.

"Secunia Research has discovered vulnerabilities in various audio and media applications caused due to an insecure ActiveX control," the blog said, adding that the vulnerable component, NCTAudioFile2.dll, was originally developed by NCT Company Ltd., now known as Online Media Technologies Ltd., and is known to be present in more than 70 products from 28 different software companies.

"This means that not only are certain NCTsoft products vulnerable, but most applications using the same component are vulnerable as well," Secunia said.

The problem is a boundary error in the NCTAudioFile2.AudioFile ActiveX control and in the handling of the "SetFormatLikeSample()" method. "Passing an argument with length of about 4,124 bytes induces a stack-based buffer overflow, making it possible for the attacker to execute arbitrary code on the user's system," Secunia said.

The exploit could be housed on a malicious Web site that a user is tricked into visiting, Secunia said, adding that because the flaw involves an ActiveX component, successful exploitation requires that Internet Explorer be used to visit such a site.

"While we are not aware of any publicly available exploit for this vulnerability, actually crafting one is pretty straight-forward," Secunia said. "So it's not too much to ask users to exercise caution when surfing the Internet, especially as IE6 automatically runs ActiveX controls."

Read more on Hackers and cybercrime prevention