No foolin', say researchers -- Storm attack under way

Computerworld - A new campaign by the Storm Trojan horse began on Monday, as spam posing as April Fools' Day messages flooded in-boxes, several security companies said.

According to analysts at F-Secure Corp., the SANS Institute's Internet Storm Center (ISC), Symantec Corp. and others, spam bearing a wide range of April Fools' Day subjects started showing up Monday. Among the subject headings, said ISC researcher Stephen Hall in a post to the group's blog, were "All Fools' Day," "Doh! April Fool" and "Surprise! The joke's on you."

The messages carried no text; only a link to an April Fools'-themed URL that in turn tried to download or convince users to download an executable with filenames such as "foolsday.exe" and "kickme.exe." These executables were, in fact, the Storm Trojan horse, which is identified by some security vendors as Dorf, Nuwar or Peacomm.

Storm's creators have a history of using holidays to spread their malware, which is designed to add infected Windows PCs to a botnet that can be used for additional spam blasts or for launching denial-of-service attacks. The last major Storm run was in the weeks leading up to Valentine's Day, for example.

Several security firms posted the image that appears when a user clicks on the link within the Storm spam mail, including McAfee Inc. The image is accompanied by text that reads "Your download will start in 5 seconds. If your download does not start, click here and then press 'Run.'"

"If you wait those five seconds, it'll try to download file funny.exe to your computer," said analyst Dmitry Gryaznov on McAfee's blog. "If you click on the image, it's kickme.exe. And if you click on 'click here,' it's foolsday.exe. All of them are nothing but a new Nuwar [Storm] variant."

Another researcher, Robert McArdle at Trend Micro Inc., pointed out that the malware authors didn't even bother to come up with an original image but instead grabbed one off the Web. "Too lazy to actually create their own image to represent the holiday, the group simply Googled 'April Fools' and used the first image that showed up," said McArdle on the TrendLabs blog.

Storm has been linked by some researchers to the notorious Russian Business Network (RBN) malware-hosting organization, and at times, Storm-related messages have produced significant spikes in spam volume.

Read more about security in Computerworld's Security Knowledge Center.