New storm worm attack turns to web

Share this article:

Spammers have switched their tactics with the latest "storm worm" run in hopes of getting more of the malicious messages delivered into company inboxes.

The newest run, which began late last week, features messages that falsely inform recipients they have received a greeting card from a family member. Some other variants show the message to be coming from an admirer, classmate or colleague.

What makes this run different than previous is that instead of being asked to click on a malicious executable attachment to open their card, users are persuaded to click on a link that redirects them to a compromised website hosting malware, Jose Nazario, senior security researcher at Arbor Networks, told SCMagazine.com today.

The social engineering attacks exploit a number of patched vulnerabilities - including ANI, QuickTime and WinZip - to add compromised machines to a botnet.

The cybercrooks opted for web-borne malware because it typically leads to a larger infection rate, Nazario said.

"I think part of [the success] is [that] executables are getting blocked at the inbound mail gateway and also web browsers are just as functional and more vulnerable than the email clients and less filtered," he said. "People have found that the browser is one of the best conduits to almost everything on a person’s computer."

These latest social engineering attacks are offshoots of the original storm-worm scam, launched in January, which promised videos of major European wind storms but instead infected users’ machines with a trojan. The attacks made several resurgences during the winter and spring.

Meanwhile, thousands of websites, most in Italy, have been infected with the new MPACK attack tool, which removes a number of competing rootkits on victims’ machines and replaces them with new ones.

This has upset storm-worm spammers so much that a virtual turf battle of sorts has broken out, leading to DDoS attacks.

"Over the past two days, we’ve seen a reasonably large number of attacks…that exhibit a common target set, and appear to be traceable to bot-on-bot attacks, or more interestingly, attacks targeting competitive bot-building infrastructure," Arbor chief researcher Danny McPherson wrote Saturday on the security team’s blog.

Click here to email reporter Dan Kaplan.

Share this article:

Sign up to our newsletters

More in News

IT manager fired following massive Maricopa college district breach

Miguel Corzo, the IT manager who was fired on Tuesday, claims Maricopa County Community College District is making him into a scapegoat.

Facebook scam leads victims to Nuclear exploit kit

Researchers at Symantec say attackers are becoming more aggressive and using Facebook scams to exploit users' computers.

eBay faces class-action suit over breach

eBay faces class-action suit over breach

A suit filed in a federal court in Louisiana charges the company with failing to protect personal information and seeks damages on multiple counts.