Spammers tweak Storm to push PDF spam, less image spam

By Robert Westervelt, News Editor 13 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A large portion of the entire botnet is being pushed over to PDFs now. Matt Sergeant, senior antispam technologist, MessageLabs

The Storm Trojan is generating PDF files to escape detection from antivirus software and trick employees with emails that look like business letters, according to researchers at security vendor MessageLabs.

The PDF trend has greatly reduced the amount of image spam, but the PDF file format, which is widely used by businesses, is forcing spam filtering vendors to rapidly develop technology to detect PDF spam from legitimate PDF files.

While the new emails containing PDFs currently carry advertisements they could evolve to deliver malicious code including bot code, said Matt Sergeant, a senior antispam technologist at the UK-based MessageLabs. The malware could also be automatically downloaded on the victim's computer.

This is something we'll be watching out for very closely," Sergeant said. "Spammers are always interested in expanding their bot networks, so it might be something that they try in the near future."

Storm currently represents about 30% of all spam. Since January, the Trojan horse has been actively spreading, starting with emails exploiting concern about major European storms by adopting a wide variety of fake news headlines in email subject lines. Finnish antivirus firm F-Secure Corp. said the Trojan horse started to use kernel-mode rootkit techniques to hide its bot spreading files, registry keys, and active network connections.

Storm worm: Malware outbreak 'largest in almost a year': Security firm Postini and the SANS Internet Storm Center said they are tracking a significant malware outbreak. Postini calls it the biggest email attack in almost a year. Storm worm keeps spreading: A Trojan that first exploited concerns about a storm that battered Europe has broken into new variants with new techniques and a wider range of fake headlines. Storm Trojan was worse than it should have been: The "Storm" attack made a big splash because people keep falling for social engineering and there was simply little else in the news, experts say.

The Storm Trojan also recently misrepresented itself as a greeting card from family members to trick people into clicking on malicious URLs in their email inbox. It also tried to use patriotic messages during the Independence Day holiday to dupe people into getting infected.

Other security vendors have detected the new Storm worm strain. Symantec reported a decline in image spam in June. In its monthly report, the security vendor pointed to a specific PDF spam campaign as contributing to the decline.

"The PDF attachments result in messages that are very large in size," Symantec said in its Security Response blog. "We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam."

Symantec said the most prevalent type of PDF spam that was detected in the month of June was a pump and dump stock scheme. "Once open, the PDF file displays an image of a stock symbol and some text indicating it's the one to buy."

The malware's expanding presence had contributed to the skyrocketing use of image spam, which successfully bypassed many spam filters, Sergeant said.

"We see very rapid changes from exactly what its behavior is and it's been able to repurpose itself immediately," Sergeant said. "A large portion of the entire botnet is being pushed over to PDFs now."

Sergeant said that IT pros should check to make sure that the spam filter has PDF capability and inform employees to be suspicious of PDFs from an unknown sender.

Some current filtering software with PDF capabilities can identify malicious PDF files by checking the code within the file to determine the file structure and how it was created. Researchers are currently trying to develop a better way to eliminate PDF spam, Sergeant said.

Tags: Emerging Information Security Threats,  Malware, Viruses, Trojans and Spyware,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Email and Messaging Threats (spam, phishing, instant messaging) Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary