New storm worm attack turns to web

Share this article:

Spammers have switched their tactics with the latest "storm worm" run in hopes of getting more of the malicious messages delivered into company inboxes.

The newest run, which began late last week, features messages that falsely inform recipients they have received a greeting card from a family member. Some other variants show the message to be coming from an admirer, classmate or colleague.

What makes this run different than previous is that instead of being asked to click on a malicious executable attachment to open their card, users are persuaded to click on a link that redirects them to a compromised website hosting malware, Jose Nazario, senior security researcher at Arbor Networks, told today.

The social engineering attacks exploit a number of patched vulnerabilities - including ANI, QuickTime and WinZip - to add compromised machines to a botnet.

The cybercrooks opted for web-borne malware because it typically leads to a larger infection rate, Nazario said.

"I think part of [the success] is [that] executables are getting blocked at the inbound mail gateway and also web browsers are just as functional and more vulnerable than the email clients and less filtered," he said. "People have found that the browser is one of the best conduits to almost everything on a person’s computer."

These latest social engineering attacks are offshoots of the original storm-worm scam, launched in January, which promised videos of major European wind storms but instead infected users’ machines with a trojan. The attacks made several resurgences during the winter and spring.

Meanwhile, thousands of websites, most in Italy, have been infected with the new MPACK attack tool, which removes a number of competing rootkits on victims’ machines and replaces them with new ones.

This has upset storm-worm spammers so much that a virtual turf battle of sorts has broken out, leading to DDoS attacks.

"Over the past two days, we’ve seen a reasonably large number of attacks…that exhibit a common target set, and appear to be traceable to bot-on-bot attacks, or more interestingly, attacks targeting competitive bot-building infrastructure," Arbor chief researcher Danny McPherson wrote Saturday on the security team’s blog.

Click here to email reporter Dan Kaplan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.