Saturday, August 4, 2007

The Worms Crawl In, The Worms Crawl Out...

I have seen several new strains of the Storm-based "greeting card" worm dumping tons of crap into the inboxes of my clients, and unfortunately, my own company as well. The links invariably point to some numeric IP without a domain name; likely these IPs are zombie hosts in the same manner as the zombies that sent the spam.

The really bad news is coming in from several of the analyst sites, which have found new variants are installing rootkits in some instances. More than likely, that means we'll be working on stamping out this new variant from a good while to come. Fortunately, the new strain appears to have limited polymorphic capabilities when it comes to its message body template; therefore, filtering the content should be relatively simple for the time being with a simple regex. Hopefully the people who modified this version won't catch on to the idea that their spam payload is woefully easy to identify and filter.

The really interesting question comes down to what to do about all these IP addresses that appear in these spams -- obviously these machines are compromised, and their owners certainly should be aware of the situation. Given the current legal situation surrounding white hat activities, I have to admit that I'm rather more of the "screw 'em" mentality. Rampant lawyers suing white hats tends to do that.

Frankly all I am going to do is put that same regex code used to filter the spam payload to further use. We could identify these IPs and simply perform something equivalent to DenyHosts-style H-IDS and slap those entries into hosts.deny for a 60-day term. Anyone carrying that kind of infestation on their box has no compelling reason to be allowed to talk to mine.

Multi-vector attacks are certainly dangerous, but I think the good news for white hats is the increasing complexity in adding the factors of social engineering to worms and malware also gives us the ability to more easily find and eliminate source systems... in this case, practically automatically with simple expression filters.