'Storm' Spam Surges, Infections Climb - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
02:58 PM

'Storm' Spam Surges, Infections Climb

Newer versions of the spam dumped more infected messages into in-boxes and duped an increasing number of users to launch the files and thus compromise their computers.

The "Storm worm" that blasted across the Internet late last week spread Monday as security companies repeated their warnings and raised alert levels to new highs.

Actually a Trojan downloader, the payload has been given a variety of names by antivirus vendors, including Peacomm (Symantec) and Troj/Dorf-Fam (Sophos). It arrives in widely spammed messages with several possible subject heads and as a number of differently named executable files.

Its nickname comes from one of the original spam subject heads: "230 dead as storm batters Europe."

After an initial spam blast early Friday that produced infections worldwide, the Trojan's impact fell sharply. Later spam runs, however, dumped more infected messages into in-boxes and duped an increasing number of users to launch the files and thus compromise their computers.

"This looks like a worm because of the volume of e-mail, even though it's a Trojan," says Dave Cole, the director of Symantec's security response team. "We're on spam run No. 4 now, with millions of messages having been sent so far."

The large volume of infected messages spammed so far prompted Cole's company to up the threat rating to a "3" in its 1 through 5 scoring system. The last time Symantec classified a piece of malware as a "3" was in late 2005, says Cole.

"But we've also seen a number of changes [to it]," says Cole as he justified the more dire rating. The attacker "is changing the enticements, changing some of the evasion techniques, too, including encryption."

On the enticement front, the weekend's runs have been loaded onto e-mail messages with a wider variety of subject heads, including such fanciful lines as "Chinese missile shot down USA satellite," "Sadam Hussein alive!," and "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel."

"He's in a cat-and-mouse game. He's watching what we and other antivirus [companies] are doing and making adjustments," says Cole. The attacker's tactics include encrypting the peer-to-peer communication channel he's using to control the compromised PCs and rapidly modifying the packaging of the Trojan to evade detection and deletion.

As of Monday, the Trojan accounted for 8% of all infections globally. "That's not huge, but it's not small, either," says Cole.

Other security companies, including Finland's F-Secure, reported Monday that they were seeing rootkit cloaking techniques in some variants. Rootkits can hide malware's files and actions from security software. Sophos, meanwhile, said that it had detected the Trojan-laden spam originating from computers in more than 80 countries.

"It's not terribly sophisticated technically," says Cole, "but it's increasingly bigger."

Security vendors have recommended that users update their antivirus signatures and, if they're using anti-spam software, that defense as well.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll