Storm Worm New Year's greetings proliferating

Share this article:
The holiday blitz from the perpetrators of the Storm Worm, which began with fake Christmas messages last month, has continued unabated as a spate of false New Year's greetings have been delivered by the notorious botnet, researchers reported this week.

The spam campaigns, which contain links to malicious websites, are using a wide variety of subject lines including "A brand New Year 2008," "Blasting New Year 2008," "Dance to the New 2008 Year tune" and "Happy New Year 2008 to the one I love," according to researchers at Sophos and Trend Micro.

“This is one of the many variants of the Storm Worm that leverage the latest and greatest event or holiday," Mike Haro, senior security analyst at Sophos, told SCMagazineUS.com. “We'll see more of the same as we go further into 2008."

A previous holiday version of the Storm Worm, also known as the Dorf worm, used the lure of Santa Claus' wife doing a striptease, with links to malicious sites inside the message.

The Storm Worm, a trojan that has spawned a huge botnet army of zombie computers, has become the most widely spread type of malware, with some estimates indicating that it has infected between one million and 50 million PCs globally.

These Christmas- and New Year's-themed spam messages contain links to malware-hosting domains that are "difficult to take down," Trend Micro researcher Paul Ferguson noted in a blog entry, noting “the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their window of opportunity due to registrar operation hours during the end-of-year holiday."

"As to contacting the registrar where [the malicious] domain was initially registered -- well, that's where the second part of the 'cleverness of maximizing their window of opportunity' comes into play," he said. "The criminals who planned this attack…ran all their malware domains (which the victims click on to download their 'greeting card') on fast-flux botnet hosting, relying on the Russian ccTLD Registrar NIC.ru to do the updates.”

Due to holiday hours, that's a major problem for combating the attack, he noted.

"Unfortunately for all of us, NIC.ru is closed for Christmas and New Year, not returning until January 9," Ferguson said. "Many people have tried to contact NIC.ru, both by telephone (during their advertised business hours) and by email, but NIC.ru does not reply. Ten or so more days of availability -- at the very least -- will more than likely contribute to these criminals building an even larger botnet, capable of immense badness.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.