Software // Enterprise Applications
News
1/22/2007
02:58 PM
Connect Directly
RSS
E-Mail
50%
50%

'Storm' Spam Surges, Infections Climb

Newer versions of the spam dumped more infected messages into in-boxes and duped an increasing number of users to launch the files and thus compromise their computers.

The "Storm worm" that blasted across the Internet late last week spread Monday as security companies repeated their warnings and raised alert levels to new highs.

Actually a Trojan downloader, the payload has been given a variety of names by antivirus vendors, including Peacomm (Symantec) and Troj/Dorf-Fam (Sophos). It arrives in widely spammed messages with several possible subject heads and as a number of differently named executable files.

Its nickname comes from one of the original spam subject heads: "230 dead as storm batters Europe."

After an initial spam blast early Friday that produced infections worldwide, the Trojan's impact fell sharply. Later spam runs, however, dumped more infected messages into in-boxes and duped an increasing number of users to launch the files and thus compromise their computers.

"This looks like a worm because of the volume of e-mail, even though it's a Trojan," says Dave Cole, the director of Symantec's security response team. "We're on spam run No. 4 now, with millions of messages having been sent so far."

The large volume of infected messages spammed so far prompted Cole's company to up the threat rating to a "3" in its 1 through 5 scoring system. The last time Symantec classified a piece of malware as a "3" was in late 2005, says Cole.

"But we've also seen a number of changes [to it]," says Cole as he justified the more dire rating. The attacker "is changing the enticements, changing some of the evasion techniques, too, including encryption."

On the enticement front, the weekend's runs have been loaded onto e-mail messages with a wider variety of subject heads, including such fanciful lines as "Chinese missile shot down USA satellite," "Sadam Hussein alive!," and "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel."

"He's in a cat-and-mouse game. He's watching what we and other antivirus [companies] are doing and making adjustments," says Cole. The attacker's tactics include encrypting the peer-to-peer communication channel he's using to control the compromised PCs and rapidly modifying the packaging of the Trojan to evade detection and deletion.

As of Monday, the Trojan accounted for 8% of all infections globally. "That's not huge, but it's not small, either," says Cole.

Other security companies, including Finland's F-Secure, reported Monday that they were seeing rootkit cloaking techniques in some variants. Rootkits can hide malware's files and actions from security software. Sophos, meanwhile, said that it had detected the Trojan-laden spam originating from computers in more than 80 countries.

"It's not terribly sophisticated technically," says Cole, "but it's increasingly bigger."

Security vendors have recommended that users update their antivirus signatures and, if they're using anti-spam software, that defense as well.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.