Security researchers discovered a spate of new variants of the Storm worm making the rounds this weekend through emails reporting fictitious news of the United States attacking Iran.The scam emails on the loose include mangled subject lines, such as "USA Just Have Started World War III,” "Missle Strike: The USA kills more then 20000 Iranian citizen," "Israel Just Have Started World War III" and "USA Missile Strike: Iran War just have started" — all with malicious programs with enticing names such as “movie.exe.”
According to Adam O’Donnell, senior research scientist with Cloudmark, the latest analysis of the malicious binaries showed that they are variants of the storm worm that first made its big splash with millions of infections in January.
“This is the exact same thing,” he said. “The attackers use a methodology where they send out an executable attachment associated with some kind of major news story, or fictitious news story, to get people interested enough to load up the virus. When the virus is installed, it creates a peer-to-peer network. Most of the attackers are interested in setting up spam-sending networks, which is most likely the purpose of this variant as well.”
The analysis by the Cloudmark team found that 12 main variants were sent in a blitz that began on Sunday morning.
“I would be surprised if that was unintentional,” he said, explaining that the professional hackers probably hoped to take advantage of the fact that most security researchers would be with their families. “These guys know how to make money.”
The tactic worked, O’Donnell said, explaining that it took 24-hours for most of the major anti-virus (AV) vendors to respond to the attacks. He questioned the speed, wondering why the vendors didn’t create more versatile signatures for the worm when the first wave hit systems in January.
“You would think after that episode, the traditional AV organizations would be a little more proactive about writing generic signatures to catch this kind of attack,” he said. “But that apparently wasn’t the case. The true issue is that AV organizations are structured to combat the threat of a teenager in the basement, but nowadays we face what I like to call a unified threat horizon created by the criminal underground.”
Click here to email West Coast Bureau Chief Ericka Chickowski.
Looking for a new job? SCMagazine.com has the latest IT security employment opportunities. Click here for our jobs page.