Skip navigation.
Home

W32/StormWorm.gen1 Network Analysis

|

This is actually my first analysis of malware so the paper I wrote up may not be as in depth as some may wish. I cover the two files that the variant creates on the windows system, and provide packet capture analysis. I plan on diving deeper into research with a few peers from Rochester Institute of Technology, including SPARSA (Security Practices and Research Student Association).

Abstract:

This paper briefly details the analysis of W32/StormWorm.gen1. Analysis includes the two files created by the variant and a look into the contents of those files. A quick overview of the network traffic generated by the worm is displayed and the data exchanged between the peers who are connected to the Overnet P2P network. Towards the end of the paper, extended research discusses the disassembly of the variant and where the process injection is found within the assembly code.

Download the PDF of the research here

I will eventually post more analysis here once I can find the time.

Good analysis Josh.

Good analysis Josh.

Good start

Hi Josh,

The machine you mentioned is my crawler as describe in http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt This presentation is woefully outdated now but should still provide some decent information.

You're looking at the encrypted Overnet variant of Storm so the eDonkey2000 dissector doesn't work. Here are what the messages in your paper are:

0x10, 0xa6 publicize
0x10, 0xa7 publicize ack
0x10, 0xa0 connect
0x10, 0xa1 connect reply
0x10, 0xb1 ip query

The publicize message is your peer announcing its position in the network (it's OID).

The connect is both an announcement of availability and a request for peers.

The connect reply is a list of up to 20 "close" (as determined by the XOR metric) peers.

The ip query message is how Storm learns about it's public address and how to detect if it is NAT'd. This determines what role it will play in the TCP C&C side of things.

There are a few research groups that have fully reversed every aspect of Storm (most with help from Joe Stewart). Joe will be presenting on Storm at RSA 2008 in mid-April. His presentation will cover everything you need to know about Storm to fully understand the protocols and algorithms it uses.

It has taken our group months to figure everything out. Storm is fun to play with and there is a ton to learn so keep at it.

Brandon

Brandon, I just read your

Brandon,

I just read your presentation, that is very good high quality work. It was very informative too. Good work.

Danny

Sorry for the off topic but

Sorry for the off topic but I have been trying to contact
hllywood with no success. If you are reading this, you commented about BinBLAST some time ago:

"I'm planning on the next release at the beginning of March. The main time-consuming task is finishing up appropriate documentation to move this from a collection of small scripts to a useful program.

March is ending and it has not been released yet.

Could you provide news about the release status, please?

Thanks!

Hllywood probably got busy

It's a hobby effort so Hllywood is under no real obligation to release it at a certain date, or ever.

sort of like

sort of like the 29a issue release schedule.

;)

V.

Don´t compare even for a

Don´t compare even for a second a 29A magazine (depending of many people) with a project supossed to be released back in 2006 and developed by a single person.

It´s like comparing meat with speed.

I just asked for news. I

I just asked for news.

I feel you are in a very defensive attitude when nobody attacked anyone.

No sense of humor?

Comon, laugh a little.

V.

Sure, but first apply to

Sure, but first apply to yourself your own tips. ;-)