Storm Worm Botnet Lobotomizing Anti-Virus Programs

The ever-mutating, ever-stealthy Storm worm botnet is adding yet another trick to its vast repertoire: Instead of killing anti-virus products on target systems, it's now doing a hot fix with a memory patch to render them brain-dead. The finding was made by Sophos and was mentioned by Joshua Corman, a principal security strategist for IBM […]

The ever-mutating, ever-stealthy Storm worm botnet is adding yet another trick to its vast repertoire: Instead of killing anti-virus products on target systems, it's now doing a hot fix with a memory patch to render them brain-dead.

The finding was made by Sophos and was mentioned by Joshua Corman, a principal security strategist for IBM Internet Security Systems, Oct. 23 in his presentation here at Interop on the challenge of evolving cyber-threats.

According to an Oct. 22 posting by Sophos analyst Richard Cohen, the Storm botnet—Sophos calls it Dorf, and it's also known as Ecard malware—is dropping files that call a routine that gets Windows to tell it every time a new process is started. The malware checks the process file name against an internal list and kills the ones that match—sometimes. But Storm has taken a new twist: It now would rather leave processes running and just patch entry points of loading processes that might pose a threat to it. Then, when processes such as anti-virus programs run, they simply return a value of 0.

Full Article

Malware, Worm, Storm Worm, Antivirus, Anti-virus