Malware Alert: IPStorm
As if there wasn’t enough to worry about, another threat is looming on the horizon: IPStorm (not to be confused with the European virus protection package announced on the internet). It’s a very newly discovered Trojan Horse virus, so cunningly crafted that nobody knows what it does. So basically, what we have is the equivalent of a severe weather alert, but no thunder and lightning. Yet. Hold on to your hats, make sure you apply the tips listed below, and make sure you stay tuned to the CrafTech blogs, because we’re on top of it!
IPStorm is malware, quite sophisticated malware that has just about every base covered. It was first identified this June by the cybersecurity firm Anomali. Its creators, who remain unknown, have told us its name, but have made no other information available. Like 40% of internet activity, it depends on bots (software applications that run automated tasks). Its bots are linked to a botnet, a group of Internet-connected devices that can each run one or more bots, usually for illegal purposes. IPStorm’s deadliness is potentially multi-level. Most disturbingly, it attacks through the IPFS’s (InterPlanetary File System for open-source file-sharing) P2P network traffic to hide its own malicious P2P involvement. This is the very first malware that has been found to use that route—which is a significant indication of the programmers’ expertise. Unfortunately, that entry point makes the virus all the stronger: the malicious traffic is hidden, blended right in with normal traffic. It also makes removing the botnet difficult because there is a risk that the legitimate IPFS network could be affected at the same time—and that’s a place no one wants to go to. Plus, antivirus tools can be circumvented by this malware, and it can put itself to sleep and use memory allocation to remain dormant until it wakes up.
But wait, there’s more. Researchers haven’t even been able to figure out how IPStorm begins its infection cycle. That’s because of the nature of its programming, where the malware package itself has been divided many parts, again, a very sophisticated and well-thought-out approach. Researchers explain about its Go programming language, “By breaking functionality out into different Go packages, the codebase is easier to maintain. Also, the threat actor can break out things into modules to make it easier to swap out or reuse functionality.” IPStorm also has several antivirus-evasion techniques built into its configuration. One of the most insidious is its use of folder names that relate to Microsoft or Adobe systems when it copies itself onto a target, meaning that even a tech-savvy and alert user might not notice it right away.
There are some measures you can take to protect yourself while awaiting developments, ones that should be in place in any healthy network environment:
- Enforce a strong password policy.
- Disable AutoPlay.
- Turn off unnecessary file-sharing.
- Remove unnecessary services.
- Train employees not to open unexpected attachments.
- Turn off Bluetooth if you don’t need it for mobile devices.
As of right now, the IPStorm botnet seems to be limited to about 3,000 machines, a surprisingly small number that gives experts every reason to believe that the virus is in a very early stage of development–Which means that the worst is yet to come. But be assured that CrafTech has this storm on our radar!
Written by: Susan Palmer