Storm worm keeps spreading

By Bill Brenner, Senior News Writer 19 Jan 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Updated Monday, Jan. 22, with details on the malware's spread over the weekend.

A Trojan horse that started spreading Friday in emails exploiting concern about European storms continued its advance over the weekend by adopting a wider variety of fake news headlines, according to Finnish antivirus firm F-Secure Corp.

"The weekend has been very busy with Storm," F-Secure said in its blog. "We have lately discovered new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections."

The Trojan is now using the following headlines in an attempt to trick email recipients into clicking the malicious attachment:

• Russian missle shot down Chinese satellite
• Russian missle shot down USA aircraft
• Russian missle shot down USA satellite
• Chinese missile shot down USA aircraft
• Chinese missile shot down USA satellite
• Sadam Hussein alive!
• Sadam Hussein safe and sound!
• Radical Muslim drinking enemies' blood
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• U.S. Southwest braces for another winter blast. More then 1000 people are dead
• Venezuelan leader: "Let's the War beginning"
• Fidel Castro dead.
• Hugo Chavez dead

Malware alert: Ten emerging malware trends for 2007 Malware database access sparks debate Malware authors producing stealthier creations Best practices for protecting handhelds from mobile malware

Footage of F-Secure's computerized world map is available on YouTube. It shows glowing dots dramatically spreading across the map as the malware proliferates across the glob.

The attackers initially spammed out hundreds of thousands of emails with a subject line that read, "230 dead as storm batters Europe." The emails contain a malicious attachment that will infect the computer if the user opens it.

Mikko Hypponen, head of research at F-Secure, was amazed by how effectively the bad guys capitalized on breaking news about the storm.

"What makes this exceptional is the timely nature of the attack," he told the Reuters news agency. He said thousands of computers were affected around the world, mostly private machines. He told Reuters that most users won't notice the malware, which is designed to creates a back door on the computer that can be used later to steal sensitive data or launch spam runs.

The malware attack also kept researchers busy at UK-based antivirus firm Sophos, which reported seeing malicious files attached to emails with names such as Full Clip.exe, Full Story.exe, Full Video.exe, Read More.exe, and Video.exe.

"On average, one in every 200 emails that people have received since midnight [Friday] are likely to be infected by this Trojan horse," Graham Cluley, senior technology consultant for Sophos, said on the company's Web site. "Receiving or reading the emails themselves does not mean that you will be infected. However, users must be very careful not to click on the attached file inside the emails as that will install a Trojan horse on their computer."

Tags: Emerging Information Security Threats,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw Malware, Viruses, Trojans and Spyware When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared New Conficker variant has ties to Storm botnet Conficker leaves security industry looking clueless Conficker updates with no problems reported

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary