WillErwin.com

Being as how I’m stranded in Aspen, Colorado due to heavy snow, I thought I’d give a shot at taking a first hand look at the underpinnings of the Storm worm. Since I’m not on my home Internet connection, I’m not worried about any possible repercussions that may occur. I’m quite pissed off that my once (and possibly former) beloved Kaspersky failed to detect the latest packing of this virus, even with heuristics enabled. I went ahead and submitted the virus directly to Kaspersky so they can update their signatures (which they have).

I’ll get on a separate tangent for a moment, but a big and reasonably well known antivirus firm shouldn’t have to rely on someone like me to find and submit new viruses. That’s just sad, really. Hell, it’s a widely distributed and known URL from which I obtained the file from, can’t you whip up some code to auto download those new files and add signatures? Do I have to do that for you also? Come on now.

Anyways, back to the issue at hand, Storm. I first want to make sure that everything on this laptop is backed up somewhere else and that there is no personal information saved, such as passwords, because this laptop will soon become my sandbox. After I’m done reverse engineering Storm, I’ll have to format this laptop and do a fresh OS install. (And I’m installing XP on this machine, not that dreaded Vista). Doing this on a virtual OS or in a full sandbox would be best, but I don’t have that kind of software available on hand.

First off, I’ll need something to inspect all the Internet traffic packets which are entering and leaving my system. Back in the days the tool we used to use was EEye’s Iris, but the free software Wireshark, which is based off Ethereal will work, since my Iris license has long expired.

Update: Now that I’m back home, I’m going to actually create a full sandbox via a virtual OS in VMWare. Also, Kaspersky’s web filter now blocks the compromised Storm pages, along with detecting the virus. You’re welcome.

*An interesting note is that the image above is actually used on compromised Storm machines.

This entry was posted on Friday, December 28th, 2007 at 12:17 am and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.