Storm Worm New Year's greetings proliferating

Share this article:
The holiday blitz from the perpetrators of the Storm Worm, which began with fake Christmas messages last month, has continued unabated as a spate of false New Year's greetings have been delivered by the notorious botnet, researchers reported this week.

The spam campaigns, which contain links to malicious websites, are using a wide variety of subject lines including "A brand New Year 2008," "Blasting New Year 2008," "Dance to the New 2008 Year tune" and "Happy New Year 2008 to the one I love," according to researchers at Sophos and Trend Micro.

“This is one of the many variants of the Storm Worm that leverage the latest and greatest event or holiday," Mike Haro, senior security analyst at Sophos, told SCMagazineUS.com. “We'll see more of the same as we go further into 2008."

A previous holiday version of the Storm Worm, also known as the Dorf worm, used the lure of Santa Claus' wife doing a striptease, with links to malicious sites inside the message.

The Storm Worm, a trojan that has spawned a huge botnet army of zombie computers, has become the most widely spread type of malware, with some estimates indicating that it has infected between one million and 50 million PCs globally.

These Christmas- and New Year's-themed spam messages contain links to malware-hosting domains that are "difficult to take down," Trend Micro researcher Paul Ferguson noted in a blog entry, noting “the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their window of opportunity due to registrar operation hours during the end-of-year holiday."

"As to contacting the registrar where [the malicious] domain was initially registered -- well, that's where the second part of the 'cleverness of maximizing their window of opportunity' comes into play," he said. "The criminals who planned this attack…ran all their malware domains (which the victims click on to download their 'greeting card') on fast-flux botnet hosting, relying on the Russian ccTLD Registrar NIC.ru to do the updates.”

Due to holiday hours, that's a major problem for combating the attack, he noted.

"Unfortunately for all of us, NIC.ru is closed for Christmas and New Year, not returning until January 9," Ferguson said. "Many people have tried to contact NIC.ru, both by telephone (during their advertised business hours) and by email, but NIC.ru does not reply. Ten or so more days of availability -- at the very least -- will more than likely contribute to these criminals building an even larger botnet, capable of immense badness.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.