Storm Worm - Latest Developments include Blog and Codec based attacks

Posted Tuesday, April 22, 2008 4:10 PM by hwaldron

Lightning The storm worm attacks continue to change change as they use malicious blog or U-tube like streaming video links in order to trick users.  Everyone should be as cautious with URLs found in an email attachment as they are with attachments.  Clicking on these links can lead to possible infections, as the malware agent is advanced (e.g., root kit) and highly polymorphic (i.e., MD5 based signatures change almost hourly).   


Storm Storm Worm - Blog Attacks
http://www.f-secure.com/weblog/archives/00001415.html

Storm has once again turned its eye to the blogging community, specifically the Blogspot.com community. Several blogger sites with random or very quirky names have been sporting a love theme, Storm style. These sites appear to have been created solely for Storm's purposes and no legitimate blogger site has of yet been reported as infected.

Visiting these sites will lead you to another page, while keeping the Blogger menu at the top. Clicking the site's image downloads a file called love.exe while clicking the link will provide withlove.exe.


Storm Storm Worm - Codec based Video Attacks
http://blog.trendmicro.com/storm-now-on-video/

QUOTE: Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business.  Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.

TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:

If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

Comments

No Comments