The ever-mutating, ever-stealthy Storm worm botnet is adding yet another trick to its vast repertoire: Instead of killing anti-virus products on systems, it’s now doing a modification to render them brain-dead.
The finding was made by Sophos and was mentioned by a security strategist for IBM Internet Security Systems. According to Sophos, the Storm botnet—Sophos calls it Dorf, and it’s also known as Ecard malware— makes programs that interact with Windows, tell the virus every time a new program is started.
The virus then checks the program that started to see if it was an anti-virus or anti-spyware program, and if it is, it will either stop the program from running, or modify the program so that it can’t detect the virus.
Then, when the anti-virus programs run, they simply tell the user everything is ok.
The strategy means that users won’t be alarmed by their anti-virus software not running.
The anti-virus is running but brain-dead, which is worse than shutting it off, since it then opens the door for all sorts of other virus and spyware programs to infect the system.
This new behavior the latest evidence of why Storm is the scariest and most substantial threat security researchers have ever seen. The Storm virus is patient, it’s resilient, it’s adaptive in that it can defeat anti-virus products in multiple ways. It changes its virus footprint automatically every 30 minutes.
It even has its own mythology: Composed of up to 50 million zombie PCs, it has as much power as a supercomputer, the stories go, with the brute strength to crack Department of Defense encryption schemes.
In reality, security researchers in the know peg the size of the peer-to-peer botnet at 6 million to 15 million PCs, and not on par with a supercomputer. And it can’t break encryption keys. Still, it is very dangerous.