A variant of the well-known and troublesome Storm worm is being used in a spam attack that is luring blog, bulletin board, and Webmail (Internet-based e-mail) users to connect to a malicious Web site, according to Dmitri Alperovitch, a principal research scientist at Secure Computing Corp.
A new component in the variant enables it to analyze network traffic on the infected computer and dynamically insert a link to the malicious site into text -- whether it's a blog post, a bulletin board entry, or an e-mail sent through a Webmail system, Alperovitch says. The users' text will contain their own content, along with the link and a note that lures readers to check out a Web site with "fun" videos or an e-card.
Users who go to the malicious site have their own machines infected with this updated version of the worm, which some security vendors are referring to as a Trojan horse.
"It's pretty dangerous because it's using social engineering in a very successful way," says Alperovitch. "It's infecting Web posts that come from people who users trust and regularly discuss useful topics with. Imagine a forum where you are used to having good discussions and now they show you a link for what they seem to be saying is a fun video. Wouldn't you click on it? A lot of people would."
The original Storm worm has been linked to denial-of-service attacks against anti-spam and anti-malware sites, according to Secure Computing.
"This signifies a new trend in malware that is spread through blogs, message boards, and web-based e-mail," Alperovitch says. "And this threat is particularly insidious in that antivirus detection doesn't always work. This threat utilizes server polymorphism, which means that it is continuously being repackaged to make the binary appear different to signature-based antivirus solutions."
Signature-based antivirus programs often miss the malicious file since it is continually changing its appearance.
Eric Chien, a senior software engineer at Symantec, wrote in his blog that a number of online bulletin boards are being spammed with this scam.
"Message board spam is nothing new, but what is different about this message board spam is the spam text is actually integrated into legitimate messages posted by real users," he warns. "Don't click on unrelated links in forum postings, e-mail, or IM [Instant Messaging], and definitely avoid executing any files you receive from unsolicited links. If you notice that in your own e-mail, forum postings, or IMs you are sending out odd additional text or URLs, you are likely infected."