New wave of nuwars storming in
Tuesday August 7, 2007 at 4:24 am CST
Posted by Rachit Mathur
W32/Nuwar aka Storm worm authors have been active again recently. It is speculated to be one of the largest botnets and has the potential to launch a mammoth DDoS attack. The huge rise in the numbers of botnets lately has been attributed to the social engineering tactics that recent eCard spam mails employ. This threat is also believed to be behind the recent spams of RAR-Compacted text files.
This notorious group is not only focusing on ‘improving the effectiveness’ of their spam but are also trying hard to evade detection of the malignant eCard executables by using some of the techniques as mentioned below.
There is a re-emerging trend among malware to parasitically infect executables that are already listed in the startup registries to insert loader code for malicious binary instead of using the traditional techniques of modifying the startup registry. This could potentially help bypass some of the tools that system administrators might use to inspect the registry for suspicious executables. Recent variants of Nuwar parasitically infect the tcpip.sys to insert the loader code for its malicious device driver file. It is a pretty interesting technique to specifically target and infect Windows device driver files (tcpip.sys in this case). The following image shows the malicious code inserted at the end of the infected tcpip.sys file whose entry point is modified to point to this.
Nuwar variants have also been using ‘Server-based Polymorphisms’ to evade detection, wherein the code for the top-level decryptor of the executable hosted on the server keeps changing while still preserving the overall semantics. A cocktail of some of the following anti-emulation techniques is also frequently introduced; the code for these is constantly morphed as well.
- Use of various MMX instructions
- Using fake API calls: most Nuwar variants make fake Windows API calls such as CreateMDIWindowA, ILGetSize etc. This is not dead code. These API calls are fake because they are not called to solve the actual purpose they exist for. Instead, null or junk parameters are passed and the returned error codes are validated during decryption.
- Verifying the value at the end of Structured Exception Handling chain.
We are keeping our eyes open!
August 8th, 2007 at 9:31 am
How do we then destroy this if we have been infected?
August 9th, 2007 at 10:59 am
install ubuntu and live happy
August 9th, 2007 at 9:06 pm
sound very nasty
> We are keeping our eyes open!
You mean, you cannot sleep now after seeing this?
August 31st, 2007 at 10:48 am
We are an ISP in Spain and we have been receiving an extrange DOS atact that is growing since yesterday. This is the only reference I found to explain the problem.
Let me explain the case. The attack is performed to the mail server, the connection is open but never closed by the client side. The connection is closed by the mailserver after timeout. With this method they exhaust sockets rapidly.
We have been identifying infected Ip at a rate of 16.000 per hour Today. It was about 8000 yesterday. What will it be on Monday? We have been managing the situacion but this is can get worse as people comes back from summer holidays next Monday.
I would like to know if there any other suffering this.
Pablo Barrachina
http://www.digitalvalue.es/