Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Phishing, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Storm Worm spams its bots with stock pop-up

Some 250,000 computer users, who likely never knew their machines had been seeded with the notorious Storm Worm virus, received confirmation this week when a pop-up stock spam message appeared on their desktops.

Their machines, normally used to power the Storm botnet to deliver spam and malware-laced messages, became a self-spamming tool, experts said. The pop-up ad, which executes upon receiving a remote command, encourages users to buy stock in a thinly traded company called Hemisphere Gold Inc.

The company, whose ticker symbol is HPGI, is traded on the Pink Sheets, an over-the-counter electronic trading system.

"Normally, when Storm is sending out these stock pitches, it's overlooking the opportunity to force all of those infected users to see the message," Joe Stewart, senior security researcher at SecureWorks, told today.

It appears the pump-and-dump spam campaign worked. The stock jumped from under $1-a-share Tuesday to more than $1.20-a-share today, a 20 percent spike, with more than 145,000 shares changing hands.

This new technique follows other attempts, such as MP3 spam, to dupe unsuspecting users into purchasing penny stocks, which are highly volatile and whose value can increase rapidly with a relatively small trading volume.

"The Storm authors seem to like trying new things every few weeks," Stewart said. "It's kind of a try-and-see-what-works kind of thing -- try and reach as many people who might be willing to invest in these stocks."

But this new approach could backfire, as users may realize their machines are infected and rid them of the malware, Josh Corman, principal security strategist at IBM ISS, told today.

"You could argue it's a misstep," he said.

Corman said the Storm Worm is an "instantiation of a class of botnets" that is being used in attacks such as pump-and-dump campaigns to derive profits for its authors. It communicates through decentralized peer-to-peer networks, which makes it difficult to stop.

If the Storm Worm authors find a way to monetize other uses for the botnet, users may see an influx of DDoS attacks that could paralyze some organizations. Some businesses are preparing for such an incident by reassessing their disaster recovery capabilities, Corman said.

He said he also worries about a political motive: For example, Storm could impact the websites of presidential candidates, or be used to deliver spam that may sway voter's decisions, Corman said.

"These could dramatically impact who gets the presidential nomination for their party," he said.

So far, the attackers seem content with sending out emails that either attempt to infect more machines or trick users into buying stocks, Stewart said. Based on analysis he conducted today, he said the next campaign may use Geocities webpages to host a malicious executable.

Users should also be ready for a spam run on Thanksgiving, experts said. The Storm Worm virus likes to capitalize on major holidays or news events to create messages that appear legitimate.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.