No foolin', say researchers -- Storm attack under way
New spam run touts April Fools' Day but delivers bot Trojan horse instead
Computerworld - A new campaign by the Storm Trojan horse began on Monday, as spam posing as April Fools' Day messages flooded in-boxes, several security companies said.
According to analysts at F-Secure Corp., the SANS Institute's Internet Storm Center (ISC), Symantec Corp. and others, spam bearing a wide range of April Fools' Day subjects started showing up Monday. Among the subject headings, said ISC researcher Stephen Hall in a post to the group's blog, were "All Fools' Day," "Doh! April Fool" and "Surprise! The joke's on you."
The messages carried no text; only a link to an April Fools'-themed URL that in turn tried to download or convince users to download an executable with filenames such as "foolsday.exe" and "kickme.exe." These executables were, in fact, the Storm Trojan horse, which is identified by some security vendors as Dorf, Nuwar or Peacomm.
Storm's creators have a history of using holidays to spread their malware, which is designed to add infected Windows PCs to a botnet that can be used for additional spam blasts or for launching denial-of-service attacks. The last major Storm run was in the weeks leading up to Valentine's Day, for example.
Several security firms posted the image that appears when a user clicks on the link within the Storm spam mail, including McAfee Inc. The image is accompanied by text that reads "Your download will start in 5 seconds. If your download does not start, click here and then press 'Run.'"
"If you wait those five seconds, it'll try to download file funny.exe to your computer," said analyst Dmitry Gryaznov on McAfee's blog. "If you click on the image, it's kickme.exe. And if you click on 'click here,' it's foolsday.exe. All of them are nothing but a new Nuwar [Storm] variant."
Another researcher, Robert McArdle at Trend Micro Inc., pointed out that the malware authors didn't even bother to come up with an original image but instead grabbed one off the Web. "Too lazy to actually create their own image to represent the holiday, the group simply Googled 'April Fools' and used the first image that showed up," said McArdle on the TrendLabs blog.
Storm has been linked by some researchers to the notorious Russian Business Network (RBN) malware-hosting organization, and at times, Storm-related messages have produced significant spikes in spam volume.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!