'Storm' Spam Surges, Infections Climb - InformationWeek
Software // Enterprise Applications
02:58 PM

'Storm' Spam Surges, Infections Climb

Newer versions of the spam dumped more infected messages into in-boxes and duped an increasing number of users to launch the files and thus compromise their computers.

The "Storm worm" that blasted across the Internet late last week spread Monday as security companies repeated their warnings and raised alert levels to new highs.

Actually a Trojan downloader, the payload has been given a variety of names by antivirus vendors, including Peacomm (Symantec) and Troj/Dorf-Fam (Sophos). It arrives in widely spammed messages with several possible subject heads and as a number of differently named executable files.

Its nickname comes from one of the original spam subject heads: "230 dead as storm batters Europe."

After an initial spam blast early Friday that produced infections worldwide, the Trojan's impact fell sharply. Later spam runs, however, dumped more infected messages into in-boxes and duped an increasing number of users to launch the files and thus compromise their computers.

"This looks like a worm because of the volume of e-mail, even though it's a Trojan," says Dave Cole, the director of Symantec's security response team. "We're on spam run No. 4 now, with millions of messages having been sent so far."

The large volume of infected messages spammed so far prompted Cole's company to up the threat rating to a "3" in its 1 through 5 scoring system. The last time Symantec classified a piece of malware as a "3" was in late 2005, says Cole.

"But we've also seen a number of changes [to it]," says Cole as he justified the more dire rating. The attacker "is changing the enticements, changing some of the evasion techniques, too, including encryption."

On the enticement front, the weekend's runs have been loaded onto e-mail messages with a wider variety of subject heads, including such fanciful lines as "Chinese missile shot down USA satellite," "Sadam Hussein alive!," and "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel."

"He's in a cat-and-mouse game. He's watching what we and other antivirus [companies] are doing and making adjustments," says Cole. The attacker's tactics include encrypting the peer-to-peer communication channel he's using to control the compromised PCs and rapidly modifying the packaging of the Trojan to evade detection and deletion.

As of Monday, the Trojan accounted for 8% of all infections globally. "That's not huge, but it's not small, either," says Cole.

Other security companies, including Finland's F-Secure, reported Monday that they were seeing rootkit cloaking techniques in some variants. Rootkits can hide malware's files and actions from security software. Sophos, meanwhile, said that it had detected the Trojan-laden spam originating from computers in more than 80 countries.

"It's not terribly sophisticated technically," says Cole, "but it's increasingly bigger."

Security vendors have recommended that users update their antivirus signatures and, if they're using anti-spam software, that defense as well.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll