Application security, Patch/Configuration Management, Vulnerability Management

New storm worm attack turns to web

Spammers have switched their tactics with the latest "storm worm" run in hopes of getting more of the malicious messages delivered into company inboxes.

The newest run, which began late last week, features messages that falsely inform recipients they have received a greeting card from a family member. Some other variants show the message to be coming from an admirer, classmate or colleague.

What makes this run different than previous is that instead of being asked to click on a malicious executable attachment to open their card, users are persuaded to click on a link that redirects them to a compromised website hosting malware, Jose Nazario, senior security researcher at Arbor Networks, told today.

The social engineering attacks exploit a number of patched vulnerabilities - including ANI, QuickTime and WinZip - to add compromised machines to a botnet.

The cybercrooks opted for web-borne malware because it typically leads to a larger infection rate, Nazario said.

"I think part of [the success] is [that] executables are getting blocked at the inbound mail gateway and also web browsers are just as functional and more vulnerable than the email clients and less filtered," he said. "People have found that the browser is one of the best conduits to almost everything on a person’s computer."

These latest social engineering attacks are offshoots of the original storm-worm scam, launched in January, which promised videos of major European wind storms but instead infected users’ machines with a trojan. The attacks made several resurgences during the winter and spring.

Meanwhile, thousands of websites, most in Italy, have been infected with the new MPACK attack tool, which removes a number of competing rootkits on victims’ machines and replaces them with new ones.

This has upset storm-worm spammers so much that a virtual turf battle of sorts has broken out, leading to DDoS attacks.

"Over the past two days, we’ve seen a reasonably large number of attacks…that exhibit a common target set, and appear to be traceable to bot-on-bot attacks, or more interestingly, attacks targeting competitive bot-building infrastructure," Arbor chief researcher Danny McPherson wrote Saturday on the security team’s blog.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.