Storm Worm Erupts Into Worst Virus Attack In 2 Years
By Sharon Gaudin
InformationWeek
Tue Jul 24, 4:19 PM ET

The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they've seen in two years.

"We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level."

Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails -- 99% of them associated with the Storm worm.

While the number of spam e-mails has dropped significantly, it's still far above normal levels, so Swidler isn't ready to say the attack is over.

The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. This helps pull the computers into the malware authors' growing botnet, while also leaving them open for further infection at a later date.

"This is designed to add computers to the botnet," said Swidler. "That's first and foremost their goal."

But the Storm worm authors aren't contenting themselves with this one attack vector.

Paul Henry, VP of technologies with Secure Computing, said in an interview that the electronic greeting card spam scam that the Storm worm authors launched early in July is stronger than ever. He noted that a friend of his has a company with 100 users and they're being hit with about 300 e-card spams every day.

"Back in December, we saw a huge spike in e-card spams because of the holiday," he added. "We are at the levels we were seeing back in December right now Most security professionals thought it would show up for Independence Day and then fade immediately, but it's been escalating for the last few weeks. It's definitely a pain point."

Again, the e-card spam message, which install rootkits in the infected computers, are working to build a botnet. Henry could not say if it's the same botnet as the other messages are building.

"I have seen thousands of these e-mails since Independence Day. It's got to be working for them or they wouldn't keep doing it," said Henry.

Just a few weeks ago, the Storm worm authors began trying to trick users with fraudulent e-mails warning unsuspecting users about virus or spyware infections. Users around the world were receiving spam messages claiming that viruses or spyware had been detected on the users' systems. It was another attempt to lure users to malicious sites where their computers could be infected.

Everyone knows not to click on links in emails, right?
Here's another reason for all those ecard spam emails.

DoS Attack Feared As Storm Worm Siege Escalates
By Sharon Gaudin
InformationWeek
Thu Aug 2, 4:31 PM ET

As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it.

Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm.

Researchers at SecureWorks are seeing similar staggering numbers, as well.

Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million.

"It's really gotten enormous," said Stewart. "It's been building with exponential growth. It's one of the largest botnets I've ever heard of."

And both Stewart and Swidler said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. All of the bots are set up to launch denial-of-service (DoS) attacks and that's exactly what they're anticipating. Denial-of-service attacks -- sometimes called DoS -- are designed to pound each computer with countless questions that flood its ability to respond, effectively taking the machine down.

"When a computer is added to a botnet, it becomes a platform for issuing further attacks," said Swidler. "I shudder to think should they turn this botnet on an organization... It's harnessing the benefits of the grid computing architecture for evil purposes."

Stewart added that the botnet has been launching small DoS attacks, but only a small percentage of the botnet has been used for it and the attacks have only been directed at seemingly random IP addresses or small organizations. A large directed attack could be much different.

"At any time, the botnet could launch a massive attack at anyone. We're wondering if it's being geared up for some sort of large scale attack," said Stewart. "Who couldn't they take offline with all the computers in this botnet?.. They could take a small country out."

This past May, Estonia, a country in Eastern Europe, was hammered with a DoS attack from a botnet. Swidler said he believes there's a good chance that the Storm worm authors were behind the Estonia attacks.

SecureWorks is warning IT managers and home users that they need to be aware of the scams connected to the Storm worm, which include e-mails with links leading to fake e-cards and news stories highlighting catastrophic events.

"Storm relies on social engineering as its best ally so it is really important that computer users keep their guard up and be suspicious of any unsolicited email containing an attachment or a link," said Stewart. "Even if it mentions something you are familiar with or promises some sort of critical data, always check with the sender to see what it is and why the sent it."

He also warns that users and IT managers can protect their systems by blocking peer-to-peer networking. When the malware runs, it tries to link up with other infected hosts via P2P networks. Stewart noted that if that function is blocked, then the user's computer cannot become a part of the botnet.

So basically there are 2 million stupid users who clicked on links in spam emails.

New Attack Sites Push Storm Worm onto PC's
Friday, August 10, 2007 12:16 PM PT Posted by Erik Larkin

Just about a week ago, I wrote about the Storm Worm's swift spread, and how it may signal an upcoming change in tactics for the multi-function bot malware. At the time, I wrote that the only good thing about it was that the malware spread via e-mail, so if you were smart enough to exercise due caution with unexpected e-mails you'd be safe from the Storm Worm.

Sadly, that's no longer true.

I just heard from Don Jackson, a researcher at SecureWorks, who found that there are now attack Web sites that attempt to bust your browser and hit you with a Storm Worm drive-by-download. Jackson said he has found about a dozen such sites so far, but more may turn up as Google indexes the compromised sites, which will make it possible to discover them with a Web search.

The sites are primarily small, seemingly innocent sites such as hobby sites or community forums, he says. One compromised site hosted a forum for Macintosh users (it has since been cleaned). Jackson says he hasn't found a common vulnerability in the sites, so he can't yet tell just how the sites are being infected.

The poisoned sites so far launch an iFrame attack that contains a combination of exploits. Two go after older vulnerabilities in Internet Explorer (ADODBStream and WebFolderView) and one targets a Quicktime flaw, so make sure both those programs are up-to-date. Secunia recently released a useful free utility that helps identify out-of-date apps on your computer, and makes it relatively easy to get patches.

Also, you can expect the Storm Worm to continue to spread via e-mail, so be extra careful of unexpected e-mail attachments and links, as always. I'd guess that we may start to see e-mails that include links to these newly compromised Web sites.

Biggest Pump-and-Dump Scam Ever Spikes Spam 445%
August 10, 2007
By Lisa Vaas

The largest spam attack ever tracked wound down Aug. 9 after delivering enough big, fat PDF files to increase total spam size 445 percent in one day, according to Postini, a hosted e-mail filtering company that's been tracking the attack since it started Aug. 7.

Postini tracked a 53 percent jump in spam volume from the day before the attack started to the day it launched, according to Senior Marketing Manger Adam Swidler, in San Carlos, Calif.

Why it stopped is a mystery, but more than likely it wound down because it was a spam run being conducted on a rented bot network, Swidler said. "Presumably … [the] rental time ran out," he said.

How much would renting that botnet have cost? PandaLabs recently released research into the malware market. It suggested one scenario in which a criminal could buy a Trojan for $500, a 1 million-address mailing list for about $100, a $20 encryption program, and a $500 spamming server. The total outlay in this theoretical example would be $1,120. (For PandaLabs' screen grabs showing what the market looks like, check out the slideshow.

The attack entails a straightforward pump-and-dump spam scam with no virus payload. Experts at SophosLabs said they had detected around 500 million e-mails with PDFs that recommend buying the stock of Prime Time Group.

Click here to view an eWEEK slideshow on how the gullible get sucked into "scam-spam."

Writing on the Sophos blog Aug. 8, SophosLabs Director Mark Harris noted that the PDF is actually 10 pages long. Toward the end of the file it contains random characters, which Harris suggested might be an attempt to fool simple checksum detection.

Prime Time, the subject of the stock pump, did see its stock rise 60 percent as of Aug. 8. It was up 20 percent as of Aug. 9, compared with its pre-spam scam price.

The stock fluctuation clearly shows that pump-and-dump scams work. "Taking a look at the stock price shows why these campaigns continue," Harris wrote in his posting. "The share price of this particular company has risen by 60 percent since [Aug. 3], so while recipients of this type of spam continue to try and profit on these 'Tips' stock, spam will continue."

Pump-and-dump scams are a numbers game, Swidler said. While there are people who might well believe whatever the spam author tells them as to the value of the stock, there are also plenty of people who know what the spammer is up to and just decide to ride along, buying stock and then hoping to ride the increase and then cash out before the stock gets dumped en masse, he said.

To read more about why we click on spam, click here.

The spammers might be long gone by now, in fact. "The stock was up 20 percent [Aug. 7]," Swidler said. "The spammers might have gotten out when they made 10 percent profit."

Postini is also tracking a prolonged virus attack that started July 16 and is still under way. Ninety-nine percent of the activity can be traced to delivery of the Storm worm.

The Storm worm, aka the Peacomm Trojan, initially wreaked havoc via a massive spam e-mail attack in January, and then in February spawned a variant that used instant-messaging platforms to spread.

During the week of April 9, researchers noted the return of the Storm worm, as more than 2 million spam e-mails arrived carrying the latest variant. The initial wave of spam used recent real or fake news headlines to convince users to execute malicious files, while the later Storm surge used e-mail subject lines claiming "Trojan Detected!" or "Worm Activity Detected!"

Postini has seen about 715 million e-mail messages—or about 30 million daily—carrying the Storm worm since this most recent attack began. That's about 30 times the amount of Storm e-mail messages tracked prior to this particular attack. Now ongoing is a blended attack: instead of attaching the virus as a payload, the e-mail points to a site that's hosting malware, which then gets downloaded to the victim's system.

If you're wondering what the spam scam attack and the Storm attack have in common, it's the rise of the botnet that's at the bottom of both, Swidler said.

Read here about the new tool Symantic is using to bat botnets.

"[Botnets are a] big reason, if not the primary reason, why spam is up so dramatically," he said. "It's up 51 percent over the beginning of 2007. Since September 2006, the volume has increased 161 percent."

Specifically, botnets are responsible for both sending out the spam e-mail and for sending the viruses that infect systems and make them easy prey for being recruited as bots into bot networks, he said.

Postini thinks it will get worse, given the upcoming holiday season and the traditional spike in people going online to do their holiday shopping, Swidler said.

Spammers find new ways to slip through
By Jon Swartz, USA TODAY
Thu Aug 16, 8:22 AM ET

SAN FRANCISCO - Just when it appeared tech firms had the upper hand against spam, spammers have unleashed new forms of the meddlesome e-mail to trick filters.

Spam in the form of popular PDF e-mail attachments and electronic greeting cards is confounding e-mail security systems and annoying consumers. The recent Storm e-mail virus and several pump-and-dump stock scams are clogging inboxes and snookering consumers into downloading malicious software. And it could get worse as the holidays approach, anti-spam experts say.

The trend illustrates the shifting nature of spam's deceptive packaging. As anti-spam vendors come up with solutions, new versions pop up. The most common spam - which uses images to avoid the detection of spam filters - is quickly fading because of advances in anti-spam technology.

But spam in PDFs, non-existent in May, now accounts for 8% of unsolicited commercial e-mail. Last week, a PDF promoting a pump-and-dump scam contributed to a 30% increase in overall spam. It was sent from compromised PCs turned into spam-spreading bots, security firm Sophos says.

Faux electronic-greeting cards, containing links to viruses, have also picked up. Since mid-July, security firm Postini has blocked about 800 million copies of Storm, an e-mail virus masquerading as a greeting card. "It's a cat-and-mouse game, and PDFs are the latest twist," says Adam Swidler, senior marketing manager at Postini.

Spammers also are beginning to use Excel and Zip files.

As spam evolves, from text in the body of e-mail to images embedded in attachments, it has become more difficult for filters to identify, says Tom Gillis, co-founder of IronPort Systems, a security firm acquired by Cisco Systems (CSCO). "There is a social engineering element to this. People are more likely to open a PDF file or Excel document, which are more trusted."

Spammers now are also leveraging popular online applications to tout ads for everything from stock scams to Viagra. Subscribers to Google's news alerts are beginning to receive links to such ads among their customary news links.

"Spammers make hay with a technique as long as they can," says Doug Bowers, Symantec's (SYMC) senior director of engineering.

New strains have largely supplanted image spam, which accounted for half of all spam in January. Image spam varies the content of individual messages - through colors, backgrounds, picture sizes or font types - and was harder to detect than text-based spam. Since software makers came up with a solution, image spam has dropped to 8% of all spam, Symantec says.

"Storm worm" adds millions of computers to botnet
By Jacqui Cheng | Published: September 02, 2007 - 07:43PM CT

The authors behind a specific strain of malware are trying every trick in the book to get users to succumb to their ill-meaning plans. You name it, they've used it: weather news, personal greetings, reports that Saddam Hussein is still alive, reports that Fidel Castro is dead, sexy women, YouTube, and even blogs. The group seems hellbent on creating the largest botnet to date, and they just might do it.

Related StoriesNew Trojans: give us $300, or the data gets it!
The "Zhelatin gang"—named after the trojan it installed—was responsible for what started out as the "storm worm." First spotted earlier this year, the spread of the "storm worm" started via e-mails purporting to provide information on some dangerous storms in Europe at the close of January. Users who fell for it were directed to a web site containing malicious code aimed at turning Windows PCs into spam bots.

It was a success, if you can call it that; Symantec security response director Dave Cole told InformationWeek in late January that the worm had accounted for 8 percent of global virus infections after a single weekend rampage.

Over time, e-mails containing links to the "storm worm" took on many forms, from supposed missile strikes to reports of genocide. Then last month security firm F-secure noted that the Zhelatin team had switched gears and was focusing on greeting-card spam. The e-mails originally directed users to a web site that prompted the download of ecard.exe, but eventually morphed slightly so that the link pointed to a site that claimed the user needed to install "Microsoft Data Access" in order to view the card. Naturally, this download installed a trojan on the user's computer for the purposes of relaying spam.

And that's when the changes began to speed up. Zhelatin changed its game mid-week to suggestive e-mails from lonely females, which prompted end users to click a link to see what they could do if they "get lonely." Days later, however, security firm Sophos noted that the e-mails had changed once again, this time to spam claiming to contain a link to an awesome new video on YouTube. Same tactic, same virus.

The "Blogging" worm
But if promises of Kelly Clarkson's latest music video in e-mail weren't enough, the worm has now switched its focus to blogs. Unlike the typical "comment spam" that many of us have grown used to on our personal blogs, the worm is actually getting into people's Blogspot accounts and creating new blog posts with links to the trojan.

Security software firm Sunbelt Software speculates that the posts are being made through Blogspot's mail-to feature, where users can e-mail their blog entries to specific addresses in order to have them posted to their blogs. This theory seems to make the most sense, as the worm would just need to comb the user's local contact list and send itself out to everyone on the list, including Blogspot. Heise Security notes that not all of the links work: "they appear to be referencing dynamically assigned IP addresses of infected computers and these computers are at the time either offline or have already been assigned a different IP address."

We may never know whether the Zhelatin gang even meant for the worm to spread to blogs, but the group is probably happy that it did. Heise estimates that, as of early August, 1.7 million computers were infected worldwide as part of a massive botnet, and that number has surely escalated since then. Heise warns that this size could prove a very dangerous threat: "[A]lthough the network has so far been primarily used to send spam, it could also be used for DDoS attacks on businesses or even countries."

Just how many computers are part of the botnet is anyone's guess, but estimates from some security firms are reaching as high as 10 million. Just last June the FBI warned that it had discovered more than a million PCs in a botnet. This looks to be just the tip of the iceberg.

Storm worm botnet more powerful than top supercomputers
By Sharon Gaudin
7 September 2007 02:08PM
Security

The Storm worm botnet has grown so massive and far-reaching that it easily overpowers the world's top supercomputers.

That's the latest word from security researchers who are tracking the burgeoning network of Microsoft Windows machines that have been compromised by the virulent Storm worm, which has pounded the Internet non-stop for the past three months.

Despite the wide ranging estimates as to the size of the botnet, researchers tend to agree that it's one of the largest zombie grids they've ever seen -- one capable of doing great damage.

"In terms of power, the botnet utterly blows the supercomputers away," said Matt Sergeant, chief anti-spam technologist with MessageLabs, in an interview. "If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it."

Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity.

"We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see," he said, noting he suspects the botnet could be as large as 50 million computers. "That means they can turn on the taps whenever they want to."

No one could provide detailed and specific comparisons between the strength of the botnet and the top supercomputers, mainly because it is hard to know for sure the size of the botnet or the power of each computer that is part of the botnet.

Adam Swidler, a senior manager with security company Postini, told InformationWeek that while he thinks the botnet is in the 1 million to 2 million range, he still thinks it can easily overpower a major supercomputer.

"If you calculate pure theoretical throughput, then I'm sure the botnet has more capacity than IBM's BlueGene. If you sat them down to play chess, the botnet would win."

Since the botnet won't be entered in any supercomputer competition, what does this mean for the IT or security manager trying to protect a company?

It means the cyber criminals who control the botnet have a tremendous amount of destructive power at their fingertips. Early this summer, the Baltic nation of Estonia was pounded in a cyberwar that saw distributed denial-of-service attack primarily targeting the Estonian government, banking, media, and police sites.

To protect its network, the country had to shut down key computer systems, and targeted sites were inaccessible outside the country for extended periods.

Swidler said he has no doubt if the Storm worm bosses focused a denial-of-service (DoS) attack on a company, Internet service provider, or government agency inside the United States, it could do a great deal of damage.

"I think there's no question they could damage any single company, whether through a DoS attack or a spam barrage," he added. "I'd be less worried about a Yahoo or a Bank of America than the thousands of mid-sized banks that aren't as well protected. But undoubtedly, this could do a great deal of damage."

Swidler said there's always the background thought that an enemy of a country could basically rent the botnet and launch a DoS attack, shutting down government agencies, utilities or financial centers.

"It's a lot of computing power that could be focused to do a lot of damage," he added. "It's grid computing gone bad."

Last month, Ren-Isac, a collaboration of higher-education security researchers, sent out a warning that the Storm worm authors had another trick up their sleeves. The botnet actually is attacking computers that are trying to weed it out. It's set up to launch a distributed denial-of-service attack against any computer that is scanning a network for vulnerabilities or malware.

The warning noted that researchers have seen "numerous" Storm-related DoS attacks recently.

MessageLabs' Sergeant said the botnet also has been launching DoS attacks against anti-spam organizations and even individual researchers who have been investigating it.

"If a researcher is repeatedly trying to pull down the malware to examine it the botnet knows you're a researcher and launches an attack against you," he said.

Lawrence Baldwin, chief forensic officer of MyNetWatchman.com, said he doesn't have a handle on how big the overall botnet has become but he's calculated that 5,000 to 6,000 computers are being used just to host the malicious Web sites that the Storm worm spam e-mails are linking users to. And he added that while the now-well-known e-cards and fake news spam is being used to build up the already massive botnet, the authors are using pump-and-dump scams to make money.

"That's pretty scary," he said. "Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily."

Swidler said that since mid-July, Postini researchers have recorded 1.2 billion e-mails that have been spit out by the botnet. A record was set on Aug. 22 when 57 million virus-infected messages -- 99 percent of them from the Storm worm -- were tracked crossing the Internet.

According to researchers at SecureWorks, the botnet sent out 6,927 e-mails in June to the company's 1,800 customers. In July, that number ballooned to 20,193,134. Since Aug. 8, they've counted 10,218,196.

Hacked GOP Site Infects Visitors with Malware
Gregg Keizer, Computerworld
Fri Sep 14, 7:00 PM ET

A Republican Party Web site has been hacked, and for some time it has been spreading a variation of the long-running Storm Trojan horse to vulnerable visitors, a security researcher said Friday.

This is the first time that Storm has taken to the Web for its victims, said Dan Hubbard, head of research at San Diego-based Websense Inc. "The big news is that Storm has added infecting sites to its arsenal," said Hubbard.

Storm debuted in January but only cracked the top malware lists early this summer, and has become infamous for its ability to adapt its infection strategies.

"They have a knack for latching onto the latest newsworthy events and capitalizing on the public interest in them," Symantec Corp. researcher Hon Lau said last month. "And if no newsworthy events are happening at the time, then they will just make them up."

Until now, Storm has infected users via files attached to e-mail or through links embedded in spam. The change noticed by Websense's scanners, however, means that Storm's backers have moved to other attack vectors-- in particular, compromised Web sites that sport malicious IFRAMEs. Users visiting such sites are instantly infected with the Trojan if their browsers are not patched against whatever exploit the IFRAME code is throwing out.

According to Hubbard, several hundred sites have been compromised by Storm's makers, then seeded with IFRAMES that can inject the Trojan into vulnerable PCs.

One such site was a Republican Party Web site for the 1st Congressional District of Wisconsin. Within hours after Websense notified the site's owners, however, it had been purged of the dangerous IFRAME code. By mid-morning Friday, it was safe to visit. Hubbard did not know how the site was compromised.

The motive behind Storm's continued attacks, and its expansion into new areas like this, said Hubbard, is a never-ending appetite for bots-- compromised computers that can be used for spamming or other criminal activities, either by the original attackers or by others who lease sections of the botnet.

"Storm's botnet is clearly the biggest around," said Hubbard, who estimated its size as "conservatively, in the hundreds of thousands, although some people have thrown out numbers like 1 million or 2 million or even 4 million." Earlier this month, in fact, MessageLabs Ltd. pegged the botnet at 2 million machines.

In the last few weeks alone, Storm has spread through e-mails touting a real-time scoreboard site for National Football League games, spam hyping a Web site that wished Americans a happy Labor Day holiday and more mail that used YouTube videos as bait.

amazon.com Update Dear Amazon Member:

Due to recent account takeovers and unauthorized listings, Amazon is introducing a new account verification method. From time to time, randomly selected accounts are subjected to an advanced verification process based on our merchant accounts/bank relations and customer debit card.
Your account is not suspended, but if in 48 hours after you receive this message your account is not confirmed, we reserve the right to suspend you Amazon registration.
amazone is committed to assist law enforcement with any inquires related to attempts to misappropiate personal information with the intent to commit fraud or theft.

To confirm your identity with us click here. [links to 220.70.2.102/amazon/index.htm]
Please do not respond to this confirmation e-mail.

Storm Worm botnet up for sale
10:59AM Tuesday October 16, 2007
By Matt Greenop

The Storm worm botnet - responsible for plenty of global IT misery - seems to be getting chopped up for sale to cyber-dodgies.

Joe Stewart, a blogger at security specialist SecureWorks and expert on Storm, says the new variants are using a 40-byte key to encrypt their Overnet peer-to-peer traffic.

Each node can only communicate with nodes using the same key.

This, he wrote in a blog today, allows the Storm author to divide the botnet into smaller networks.

Stewart believes that this could be move towards selling Storm to other spammers as an 'end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities'.

"If that's the case, we might see a lot more of storm in the future," he wrote.

The new approach does make distinguishing Storm nodes on networks that allow P2P traffic an easier task for network admins.

The Storm Worm, according to best guesstimates based on results from Microsoft's malicious software removal tool's latest deployment, indicate there could be between one and 10 million infected PCs worldwide.

The recent MSRT, which is updated on a monthly basis, removed Storm-related malware from nearly 275,000 computers out of 2.6 million scanned.

Security specialists have been surprised at the relentless progress of Storm, which preys on P2P users and others, tricking them into clicking infected .exe files.