'Storm' Worm Continues Surge Around GlobeBy Brian Prince | Posted 2007-01-22 Email Print
According to security experts, the sophisticated new "storm" worm will lead to increased spam.
Experts are forecasting an increase in spam as a result of the "Storm" worm that sent out six separate waves containing hundreds of thousands of e-mails during the weekend, and continues to touch down on computers worldwide.
"The malware is distributed to set up a network of infected zombie computers, which can then be used to launch massive spam campaigns," said Commtouch Chief Technology Officer Amir Lev, in a statement.
The Small.Dam worm, dubbed "Storm" because of its reference to a major storm in Europe in its subject line, was first uncovered during the week of Jan. 15.
With tabloid-style subject lines like "230 dead as storm batters Europe" and "First nuclear act of terrorism!", the worm has spread internationally since it was first discovered. The e-mails contained attachments with names like "full clip.exe" and "read more.exe", an example of social engineering common among malware writers.
Once a user opens the attachment, the Trojan creates a backdoor that the malware writers can exploit in the future.
The Trojan attack was aimed largely at consumers, said Mikko Hypponen, chief research officer at F-Secure in Finland. During the weekend, the company's lab researchers uncovered variants of the worm that use kernel-mode rootkit techniques to attack computers.
The company also warned on its Web site that a new round of Storm worm attacks on Jan. 22 featured romance-themed subject lines such as "The Mood for Love" and "I Dream of You."
"This is fairly advanced attack, and the gang behind this is obviously very serious," Hypponen said.
Commtouch officials said they identified and blocked over 5,000 distinct variants during the first four days of the "Storm" worm activity, and there were time periods during those days when the malware accounted for nearly 17 percent of all global Internet e-mail traffic.
"Malware writers know they have limited time before an AV signature or heuristic will be created to block any mass-distributed malware, so they break the outbreak into thousands of variants and distribute in smaller numbers of instances to maximize infection," said Haggai Carmon, Commtouch vice president of products, in a statement.
"Once AV engines battled to get a signature out within the first few hours of the outbreak, now the hard truth is that even these signatures are now becoming ineffective to protect against the first wave of each new variant. In the time it takes to write and distribute each new signature, thousands of newer variants are launched against which the signature does not protect."
Meanwhile, the anti-virus software maker Sophos is not predicting an easy 2007 for the security-conscious.
In a security report released today, Sophos officials stated e-mail will remain a key vector for malware authors, though the increasing adoption of e-mail gateway security is making hackers look for other means to infect computers.
The number of Web sites being infected with malware is on the rise, Sophos officials said, adding that its lab workers are currently uncovering an average of 5,000 new URLs hosting malicious code each day.
"Cyber-criminals are seeking new ways to distribute malware and the Web seems to be the logical environment as mounting applications and social sites keep end-users active on the Internet," said Ron O'Brien, senior security analyst for Sophos, in a statement.
"From streaming audio/video to file-sharing sites online, businesses face a growing challenge of protecting their networks. In turn, companies must incorporate Web security into their overall IT security strategy to compete in today's Web-based world."