[ISN] 'Storm Trojan' spammers set us up

From: InfoSec News (alerts@private)
Date: Mon Apr 16 2007 - 22:20:23 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9016685

By Gregg Keizer
April 16, 2007 
Computerworld

The group behind last week's massive Storm Trojan spam blast set up 
Windows users with a one-two punch by switching tactics in midrun, 
making the second stage's subject headings more believable, researchers 
said today.

"There was a very distinct transition point" between the two stages, 
said Adam Swidler, senior manager of solutions marketing at Postini Inc. 
"It was a concerted effort to trick users."

The huge wave of worm-infected spam e-mails sent out starting early 
Thursday had receded by about 2 a.m. Pacific Time Friday. "It petered 
out around then, and spam went back to its average daily and hourly 
rates," said Swidler. "We're still crunching the numbers, but it looks 
like three times that of the largest in the last 12 months, around 60 
million [messages] total."

Although most of the attention was paid to the attack's second phase -- 
when spammed messages arrived with subject headings such as "Worm 
Alert!" and "Virus Activity Detected!" -- the assault began with less 
alarming mail marked "Our Love Nest," "A Token of My Love" and other 
romantic phrases.

The switch, speculated Swidler, was by design. "The first part was more 
love-related and created the illusion of a worm attack going on," he 
said. "They were able to control the mutation and do the switch so that 
there was a clear point where there were almost none of the 'love' 
messages. That played to the second phase."

In fact, love-labeled spam carrying variants of the Storm Trojan -- 
which first appeared in January and got its nickname from subject heads 
touting news of damaging winter storms in Europe -- was spotted by some 
security vendors last Wednesday. Trend Micro Inc.'s malware blog noted a 
round of love-related spam hitting Japanese in-boxes a day before the 
attack's second stage started.

Last week, Swidler called the two-part attack a "self-fulfilling 
prophecy" because of the attacker's skill at setting up recipients for 
the second stage, which played off fears of an actual infection to dupe 
users into running the attached executable file.

When the malware executes, it installs a rootkit to cloak itself, 
disables security software, steals confidential information from the PC 
and adds the infected machine to a botnet of compromised computers. 
Storm Trojan can also self-propagate by rooting out e-mail addresses 
from the PC and sending copies of itself to those people.

However, the newly-infected PCs are staying quiet -- for the moment, 
said Swidler. "They haven't immediately launched an attack off these new 
bots," he said. "It looks like they're building out their inventory [of 
bots]." That, though, bodes ill for the future. "It's reasonable to 
assume that with these new bots, spam [volume] will only continue to 
climb," said Swidler.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Apr 16 2007 - 22:30:46 PDT