Application security

New storm worm run called largest virus attack in two years


The infamous ‘storm worm' virus attack began another run last week, this one called the largest in two years by messaging security vendor Postini.

The San Carlos, Calif.-based company, which Google announced intentions to acquire earlier this month, said this week that the storm worm attack that began July 16 generated 120 million messages by Friday.

Postini said that the attack is spreading through blended methods, using emails that contain links to malicious websites that exploit vulnerabilities.

The attack was named for the deadly European wind storms that occurred simultaneously with the first attacks this past January. Early attacks arrived with video EXE files with storm-related headings, such as "230 dead as storm batters Europe."

Researchers spotted a storm worm run earlier this month that used messages falsely informing recipients that they received a greeting card from a family member, admirer, classmate or colleague.

That storm worm run was the first of the kind to redirect recipients to a malicious website instead of using a malicious attachment.

The social engineering attack exploited a number of patched vulnerabilities, including ANI, QuickTime and WinZip – to add compromised machines to a botnet.

Adam Swidler, senior manager of solutions marketing at Postini, told today that the most recent storm worm attack is five times larger than the previous largest attack.

"[The attack’s] URLs are all using IP addresses instead of domain-based URLs, and that’s a flag we look out for," he said. "I think the biggest thing [about this attack] is the volume, the sustained nature, and it went on for nine days using the blended attack of email and the web to deliver the payload to the PC."

Joe Stewart, senior security researcher at SecureWorks, told today that his firm has seen storm worm spam mostly using an ecard as a lure.

"It’s the ecard ploy and the social engineering ploy, and if you go ahead and click on the ecard, it takes you to a page that can get some exploit code through the browser, and if that doesn’t work they prompt you to download the malware," he said.

Click here to email Online Editor Frank Washkuch.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.