No foolin', say researchers -- Storm attack under way
New spam run touts April Fools' Day but delivers bot Trojan horse instead
Computerworld - A new campaign by the Storm Trojan horse began on Monday, as spam posing as April Fools' Day messages flooded in-boxes, several security companies said.
According to analysts at F-Secure Corp., the SANS Institute's Internet Storm Center (ISC), Symantec Corp. and others, spam bearing a wide range of April Fools' Day subjects started showing up Monday. Among the subject headings, said ISC researcher Stephen Hall in a post to the group's blog, were "All Fools' Day," "Doh! April Fool" and "Surprise! The joke's on you."
The messages carried no text; only a link to an April Fools'-themed URL that in turn tried to download or convince users to download an executable with filenames such as "foolsday.exe" and "kickme.exe." These executables were, in fact, the Storm Trojan horse, which is identified by some security vendors as Dorf, Nuwar or Peacomm.
Storm's creators have a history of using holidays to spread their malware, which is designed to add infected Windows PCs to a botnet that can be used for additional spam blasts or for launching denial-of-service attacks. The last major Storm run was in the weeks leading up to Valentine's Day, for example.
Several security firms posted the image that appears when a user clicks on the link within the Storm spam mail, including McAfee Inc. The image is accompanied by text that reads "Your download will start in 5 seconds. If your download does not start, click here and then press 'Run.'"
"If you wait those five seconds, it'll try to download file funny.exe to your computer," said analyst Dmitry Gryaznov on McAfee's blog. "If you click on the image, it's kickme.exe. And if you click on 'click here,' it's foolsday.exe. All of them are nothing but a new Nuwar [Storm] variant."
Another researcher, Robert McArdle at Trend Micro Inc., pointed out that the malware authors didn't even bother to come up with an original image but instead grabbed one off the Web. "Too lazy to actually create their own image to represent the holiday, the group simply Googled 'April Fools' and used the first image that showed up," said McArdle on the TrendLabs blog.
Storm has been linked by some researchers to the notorious Russian Business Network (RBN) malware-hosting organization, and at times, Storm-related messages have produced significant spikes in spam volume.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts