Storm Worm New Year's greetings proliferating

Share this article:
The holiday blitz from the perpetrators of the Storm Worm, which began with fake Christmas messages last month, has continued unabated as a spate of false New Year's greetings have been delivered by the notorious botnet, researchers reported this week.

The spam campaigns, which contain links to malicious websites, are using a wide variety of subject lines including "A brand New Year 2008," "Blasting New Year 2008," "Dance to the New 2008 Year tune" and "Happy New Year 2008 to the one I love," according to researchers at Sophos and Trend Micro.

“This is one of the many variants of the Storm Worm that leverage the latest and greatest event or holiday," Mike Haro, senior security analyst at Sophos, told SCMagazineUS.com. “We'll see more of the same as we go further into 2008."

A previous holiday version of the Storm Worm, also known as the Dorf worm, used the lure of Santa Claus' wife doing a striptease, with links to malicious sites inside the message.

The Storm Worm, a trojan that has spawned a huge botnet army of zombie computers, has become the most widely spread type of malware, with some estimates indicating that it has infected between one million and 50 million PCs globally.

These Christmas- and New Year's-themed spam messages contain links to malware-hosting domains that are "difficult to take down," Trend Micro researcher Paul Ferguson noted in a blog entry, noting “the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their window of opportunity due to registrar operation hours during the end-of-year holiday."

"As to contacting the registrar where [the malicious] domain was initially registered -- well, that's where the second part of the 'cleverness of maximizing their window of opportunity' comes into play," he said. "The criminals who planned this attack…ran all their malware domains (which the victims click on to download their 'greeting card') on fast-flux botnet hosting, relying on the Russian ccTLD Registrar NIC.ru to do the updates.”

Due to holiday hours, that's a major problem for combating the attack, he noted.

"Unfortunately for all of us, NIC.ru is closed for Christmas and New Year, not returning until January 9," Ferguson said. "Many people have tried to contact NIC.ru, both by telephone (during their advertised business hours) and by email, but NIC.ru does not reply. Ten or so more days of availability -- at the very least -- will more than likely contribute to these criminals building an even larger botnet, capable of immense badness.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

As EMV deadline looms, industry looks to next ATM attack front

As EMV deadline looms, industry looks to next ...

Next year, EMV migration in the U.S. will inevitability change fraudsters' attack methods.

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.