Security organizations are tracking what's being described as the largest email attack since last year's Warezov outbreak, and the second onslaught this week to steal a page from the Storm Trojan's playbook.
Adam Swidler, senior manager of solutions marketing for San Carlos, Calif.-based security vendor Postini Inc., said bot herders are using the outbreak to expand their array of zombie machines. Those machines can then be used to push out spam, steal sensitive data from infected computers or launch other types of attacks. Initial reports from Postini's global data centers indicate that Thursday's outbreak has driven malware levels 60 times higher than average daily levels on the Internet, he added.
"IT shops need to block executable and .zip files, and users should never open an attachment from someone they don't know and trust," he said.
The outbreak is also being tracked by the Bethesda, Md.-based SANS Internet Storm Center (ISC). The ISC handlers have gotten a slew of emails with varying subject lines promising a patch for an unnamed new worm. The messages contain two attachments: a .zip file that is password-protected, and an image that includes the password for the .zip archive. Among the subject lines of the emails are:
- Worm Alert!
- Worm Detected Virus Alert
- Trojan Detected!
- Worm Activity Detected!
- Spyware Detected!
- Dream of You
The Postini analysis Swidler outlined is similar. The vendor has intercepted emails with "love-related" subject lines and an executable attachment that contains a Trojan horse, and emails with "Worm Alert!" in the headline with an attached .zip file with an infected payload.
Swidler said Thursday's outbreak was also similar to an attack earlier this week that used emails with fake messages about missile attacks starting World War III. "These attacks are all variations of the same malware family as the Storm worm that plagued email users around the world earlier in the year," he said.
When a user clicks on the attached executable, he said, a rootkit is installed that attempts to hide its presence from virus scans and disable existing antivirus applications. Then it will connect to a peer-to-peer (P2P) network where it can upload data including personal information from the infected computer and download additional malware. The infected computer then becomes a zombie that can be used to send spam and issue other attacks. At the same time that it is connecting to the P2P network, the virus will search the computer's hard drive for email addresses and begin replicating itself by sending emails to the addresses that it finds.
Swidler said the last outbreak of this size was last year's Warezov attack.