New storm worm attack turns to web

Share this article:

Spammers have switched their tactics with the latest "storm worm" run in hopes of getting more of the malicious messages delivered into company inboxes.

The newest run, which began late last week, features messages that falsely inform recipients they have received a greeting card from a family member. Some other variants show the message to be coming from an admirer, classmate or colleague.

What makes this run different than previous is that instead of being asked to click on a malicious executable attachment to open their card, users are persuaded to click on a link that redirects them to a compromised website hosting malware, Jose Nazario, senior security researcher at Arbor Networks, told SCMagazine.com today.

The social engineering attacks exploit a number of patched vulnerabilities - including ANI, QuickTime and WinZip - to add compromised machines to a botnet.

The cybercrooks opted for web-borne malware because it typically leads to a larger infection rate, Nazario said.

"I think part of [the success] is [that] executables are getting blocked at the inbound mail gateway and also web browsers are just as functional and more vulnerable than the email clients and less filtered," he said. "People have found that the browser is one of the best conduits to almost everything on a person’s computer."

These latest social engineering attacks are offshoots of the original storm-worm scam, launched in January, which promised videos of major European wind storms but instead infected users’ machines with a trojan. The attacks made several resurgences during the winter and spring.

Meanwhile, thousands of websites, most in Italy, have been infected with the new MPACK attack tool, which removes a number of competing rootkits on victims’ machines and replaces them with new ones.

This has upset storm-worm spammers so much that a virtual turf battle of sorts has broken out, leading to DDoS attacks.

"Over the past two days, we’ve seen a reasonably large number of attacks…that exhibit a common target set, and appear to be traceable to bot-on-bot attacks, or more interestingly, attacks targeting competitive bot-building infrastructure," Arbor chief researcher Danny McPherson wrote Saturday on the security team’s blog.

Click here to email reporter Dan Kaplan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.