Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Malware, Phishing, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Storm Worm New Year’s greetings proliferating

The holiday blitz from the perpetrators of the Storm Worm, which began with fake Christmas messages last month, has continued unabated as a spate of false New Year's greetings have been delivered by the notorious botnet, researchers reported this week.

The spam campaigns, which contain links to malicious websites, are using a wide variety of subject lines including "A brand New Year 2008," "Blasting New Year 2008," "Dance to the New 2008 Year tune" and "Happy New Year 2008 to the one I love," according to researchers at Sophos and Trend Micro.

“This is one of the many variants of the Storm Worm that leverage the latest and greatest event or holiday," Mike Haro, senior security analyst at Sophos, told SCMagazineUS.com. “We'll see more of the same as we go further into 2008."

A previous holiday version of the Storm Worm, also known as the Dorf worm, used the lure of Santa Claus' wife doing a striptease, with links to malicious sites inside the message.

The Storm Worm, a trojan that has spawned a huge botnet army of zombie computers, has become the most widely spread type of malware, with some estimates indicating that it has infected between one million and 50 million PCs globally.

These Christmas- and New Year's-themed spam messages contain links to malware-hosting domains that are "difficult to take down," Trend Micro researcher Paul Ferguson noted in a blog entry, noting “the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their window of opportunity due to registrar operation hours during the end-of-year holiday."

"As to contacting the registrar where [the malicious] domain was initially registered -- well, that's where the second part of the 'cleverness of maximizing their window of opportunity' comes into play," he said. "The criminals who planned this attack…ran all their malware domains (which the victims click on to download their 'greeting card') on fast-flux botnet hosting, relying on the Russian ccTLD Registrar NIC.ru to do the updates.”

Due to holiday hours, that's a major problem for combating the attack, he noted.

"Unfortunately for all of us, NIC.ru is closed for Christmas and New Year, not returning until January 9," Ferguson said. "Many people have tried to contact NIC.ru, both by telephone (during their advertised business hours) and by email, but NIC.ru does not reply. Ten or so more days of availability -- at the very least -- will more than likely contribute to these criminals building an even larger botnet, capable of immense badness.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.