Application security, Breach, Threat Management, Data Security, Incident Response, Malware, Phishing, TDR

Storm’s “Valentine’s Day massacre” arrives early

The notorious Storm worm trojan has continued its holiday-themed onslaught – first seen in fake Christmas and New Year's messages – with a massive wave of “love” notes that attempt to deliver a poison kiss to a recipient's PC in the form of malicious code.


Researchers at Sophos, who issued a warning Wednesday about the latest Storm surge, said it has metastasized to the point where it is now making up almost eight percent of overall email traffic.


The first anniversary this week of the appearance of the prolific Storm trojan, which has been used by its creators to spawn a growing botnet army of zombie computers, also has been marked by the introduction of an online tool that permits researchers to share information regarding the latest manifestations of Storm.


The new tool, called StormTracker, can be found on Secure Computing's research portal. It tracks automatically updates on a real-time basis the most active web proxy IPs and domains associated with Storm, as well as flagging newly activated Storm-related IPs.


Sophos reported on its security blog that Storm has begun spamming out romantic email messages that try to lure recipients to websites laced with malware. The fake love notes are arriving with subject lines including “Falling in Love with You,” “Our Love Will Last,” “You're the One,” and “Our Love is Strong,” among numerous other enticing headings.


According to Sophos, the body of each love message directs the recipient to an IP-address-based site hosted on the Storm botnet. The site features a large graphic representation of a heart and a notification reading, “Your download should begin shortly. If your download does not start in 10-20 seconds, you can click here to launch the download and then press run. Enjoy!”


The bogus web page has JavaScript code that attempts to hide the link to malware binary from automated crawlers, Sophos reported.


The Valentine-themed email blitz comes on the heels of two phishing attacks on major international banks that are believed to have been mounted using the Storm botnet, the first such assault on the financial sector emanating from the Storm network.


The FortinetGlobal Security Research team last week reported that attackers first targeted Barclays bank, and then shut down their bogus Barclays phishing site on detection by Fortinet and mounted a new attack on Halifax Bank customers, according to Fortinet Threat Response Team manager Guillaume Lovet.

Lovet said the attack appeared to be the work of amateurs who had gained access to the Storm botnet, possibly an indication that Storm's creators are offering use of the zombie network to a wide array of cybercriminals. Last month, Cisco
warned that the creators of the Storm trojan and botnet might be preparing to sublet it to cybercriminals for phishing attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.