Storm Worm spams its bots with stock pop-up

Share this article:

Some 250,000 computer users, who likely never knew their machines had been seeded with the notorious Storm Worm virus, received confirmation this week when a pop-up stock spam message appeared on their desktops.

Their machines, normally used to power the Storm botnet to deliver spam and malware-laced messages, became a self-spamming tool, experts said. The pop-up ad, which executes upon receiving a remote command, encourages users to buy stock in a thinly traded company called Hemisphere Gold Inc.

The company, whose ticker symbol is HPGI, is traded on the Pink Sheets, an over-the-counter electronic trading system.

"Normally, when Storm is sending out these stock pitches, it's overlooking the opportunity to force all of those infected users to see the message," Joe Stewart, senior security researcher at SecureWorks, told SCMagazineUS.com today.

It appears the pump-and-dump spam campaign worked. The stock jumped from under $1-a-share Tuesday to more than $1.20-a-share today, a 20 percent spike, with more than 145,000 shares changing hands.

This new technique follows other attempts, such as MP3 spam, to dupe unsuspecting users into purchasing penny stocks, which are highly volatile and whose value can increase rapidly with a relatively small trading volume.

"The Storm authors seem to like trying new things every few weeks," Stewart said. "It's kind of a try-and-see-what-works kind of thing -- try and reach as many people who might be willing to invest in these stocks."

But this new approach could backfire, as users may realize their machines are infected and rid them of the malware, Josh Corman, principal security strategist at IBM ISS, told SCMagazineUS.com today.

"You could argue it's a misstep," he said.

Corman said the Storm Worm is an "instantiation of a class of botnets" that is being used in attacks such as pump-and-dump campaigns to derive profits for its authors. It communicates through decentralized peer-to-peer networks, which makes it difficult to stop.

If the Storm Worm authors find a way to monetize other uses for the botnet, users may see an influx of DDoS attacks that could paralyze some organizations. Some businesses are preparing for such an incident by reassessing their disaster recovery capabilities, Corman said.

He said he also worries about a political motive: For example, Storm could impact the websites of presidential candidates, or be used to deliver spam that may sway voter's decisions, Corman said.

"These could dramatically impact who gets the presidential nomination for their party," he said.

So far, the attackers seem content with sending out emails that either attempt to infect more machines or trick users into buying stocks, Stewart said. Based on analysis he conducted today, he said the next campaign may use Geocities webpages to host a malicious executable.

Users should also be ready for a spam run on Thanksgiving, experts said. The Storm Worm virus likes to capitalize on major holidays or news events to create messages that appear legitimate.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.