10 August 2007

Scam: Ecards = Storm Worm

The Storm Worm is being propagated by spam emails that one has received an ecard from a friend. I receive a lot of ecards, but fortunately my email filter correctly diagnosed this particular one as spam. It's not always reliable, though. What the spam does is mimic precisely the format of ecard notifications, and invites the mark to click on a link to view the card. It's just that the malicious email sends one to a link with a numerical domain (e.g., instead of the usual corporate domains.
InformationWeek: The Storm worm blasted computers around the globe in January. It then reappeared in February when it was used in a spam attack that lured blog, bulletin board, and Webmail users to connect to a malicious Web site. Then in April, it hit again, with the Internet Storm Center reportedly detecting at least 20,000 infections in one day.

"With administrators filtering executable attachments at the mail gateway and most e-mail clients preventing a user from opening an executable attachment, virus authors are constantly improvising to stay ahead in the game," wrote Thomas. "Social engineering -- the oldest trick in the book -- along with the fatal combination of human stupidity plus curiosity provides ample fodder for virus authors to lure new victims; the innumerable newbie users of the Internet being the low hanging fruit."

In this attack, which started in June, hackers are spamming out e-mail messages that lure people to click on links that take them to malicious Web pages. This time the e-mails purport to notify the user that someone has sent them an electronic greeting card, or e-card. It might have a subject line saying something like, "You've Received a Postcard from a Family Member." The body of the message says the user needs to click on the link to view the virtual greeting.
The Storm Worm is a downloader trojan that causes the browser to download additional malware, which, in turn, download spambots that attack http://www.microsoft.com[*] When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.

Initially, the Storm Worm was propagated through emailed new stories with startling headlines, like "230 dead as storm batters Europe," hence the name.

SOURCES: Sharon Gaudin, "Storm Worm, Hidden In Phony E-Card Spam, Strikes Again" (July 2, 2007), and Gregg Keizer, "'Storm' Spam Surges, Infections Climb" (Jan. 22, 2007) InformationWeek

Labels: , , ,


Post a Comment

<< Home