Skip navigation.
Home

Storm Worm Process Injection from the Windows Kernel

|

I spent a few hours looking at the storm worm and wrote up a quick informal paper on how to extract the actual malicious payload. If you're interested in how to use asynchronous procedure call to inject code into a userspace process this paper might be interesting to you.

Storm Worm Process Injection from the Windows Kernel

Abstract:
This paper will detail the analysis methods of W32/StormWorm.gen1 and show a process injection method it uses to run malicious code in user-space. This variant loads a driver into the kernel which then injects itself into the running services.exe process. The worm then connects to a P2P network sending spam, initiating DDoS from the infected computer. This technique does not use a packer in the traditional sense but a two-stage loader to inject itself into a running process from kernel space. I will show the decoding process and methods for extracting the true malicious code from the driver executable.

How does the malware infect victims

Can you expand your article by explaining how the malware spreads to victims in the first place. Moreover, how does it load the driver into the memory. Perhaps you skipped what I'm asking for because there was nothing advanced in the technique in the first place ?

Infection vector

The infection technique was very primitive. It was simply spam that said "You have an ecard" or something similar. It then gave you an address to go to that had a link to download a file named e-card.exe. After that the user had to start the program manually.

storm propagation in 2007

Nice work, Danny. And thanks so much for the footnote mention at
http://www.virusbtn.com/pdf/conference_slides/2007/BaumgartnerVB2007.pdf.
It looks like the bulk of the text in your paper is mostly about using x86emu to decode the user-mode injected code. Interesting way to do it, instead of idc.

Shomi- If you check out the presentation slides at that link, you'll probably find the answers that you are looking for. The changing nature of storm's web presence, the multiple themes used for social engineering, the various exploits used by storm web sites at the time the presentation was given (throughout 2007, the Storm operators used several sets of exploits to attack visiting systems in addition to providing download links), the shellcode techniques used, and the user-mode components and the kernel mode injection are all documented in the slides.
But to help with your interest in the driver load, the driver was loaded using documented techniques of registering and starting a driver service. The driver then injects services.exe with user mode code and starts the thread using a fairly unusual technique from the kernel.
Check out the slides and let me know what you think. Thanks.

http://blog.threatfire.com

thanks

TF_kj,
Thank you very much, The presentation and your explanation were exactly what I was looking for!
cheers,
-shomi