Tuesday, May 6, 2008

New Storm on the horizon – now even Microsoft cannot detect it

The new version of Storm that was firstly seen over the last weekend now sends a clear message that the Storm group is not ready to give up, in spite of recent reports that Microsoft has used the power of its auto-updates to roll out the Storm bot killer.

Being very similar to its predecessors, the new variant can be distinguished by its deployment method – and that is, the iframe injections.

An iframe with a link to a remote malicious script can be inserted into a blog post so that every reader of that post may have its browser attempting to execute that script.

In order to do nasty things on a client computer, the remote script needs to elevate its privileges. It attempts to do so by relying on a buggy code that is already running inside the client's browser – the buggy (and therefore, vulnerable) ActiveX applets.

The obfuscated script that attempts to install Storm on the client machines targets 8 different ActiveX vulnerabilities.

  • One vulnerability that the Storm script targets, exists in the MySpace ActiveX component that is used to upload images and files. When this vulnerability was discovered 3 months ago, the manufacturer of this component – company Aurigma - mentioned in their reply that their ActiveX uploader was used by hundreds of millions of users over the period of 5 years.

    What it means is that those MySpace users who are still running the older MySpace ActiveX component to upload their images and files, are directly exposed to risk of turning their computers into zombies just by visiting legitimate sites that happen to have the injected iframes (e.g. via malformed blog posts).

  • Another vulnerability that the Storm deployment script attempts to exploit (CVE-2008-0647) is a stack-based buffer overflow in the HanGamePluginCn18 ActiveX control of Ourgame GLWorld (aka Lianzong Game Platform), caused by passing a long argument to its hgs_startNotify() method.

Other exploits the Storm script relies on are:

  • America Online SuperBuddy ActiveX Control Code Execution Vulnerability

  • Real Networks RealPlayer ActiveX Control Heap Corruption Exploit

  • IE 6/Microsoft Html Popup Window (mshtml.dll) DoS Exploit

  • DirectAnimation.PathControl COM object (daxctle.ocx) Exploit

  • Exploit that exists in 2 ActiveX HotBar components, by Zango Inc.

    (that must be the most unusual deployment method used by Storm)

  • MDAC ActiveX Code Execution Exploit

Since last weekend, there were only 5 unique samples of the new Storm seen in the wild. As mentioned above, the new variant is almost identical to the previous builds. As seen in this report, the new Storm now uses filenames libor.exe and gogora.config.

VirusTotal results are low as usual (22%).