Storm Trojan Run Exploit April Fools’ Day
The Storm Trojan launched a fresh campaign on March 31, 2008 as spam mails crafting messages for April Fools' Day bombarded users' inboxes, reported several security firms.
According to e-mail analysts from the SANS Institute's Internet Storm Center, Symantec Corp., F-Secure Corp. and others, e-mails with various subject lines on April Fools' Day were spammed out on March 31, 2008.
Jose Nazario of Arbor Networks reported in a blog that over the 24 hours before the 1st of April, he saw bulk flow of the Storm worm that was crafted to exploit the excitement of the day. Like before, the spam campaign was used as bait to attract the attention of computer users so that their PCs got infected and joined the larger botnet.
The message in the e-mail carried the phrase "Doh! April Fools" along with a URL depicting numerical digits. Anyone who clicked on the URL found a page on his Internet browser showing a known cartoon figure and then in five seconds, a download would start. But if that didn't happen, the message instructed to click somewhere to follow and press "Run".
The hijacked computer would then load the downloaded content as file name C:\\WINDOWS\aromis.exe. According to Nazario, the file following the command of the netsh firewall system would open the computer's firewall to make plenty of external connections, and then listen to the commands from a random UDP port.
The creators of Storm have always leveraged holidays in order to distribute their malicious program that is crafted to add the malware-infected computers to their botnet that could be used to blast out additional spam or wage Denial-of-Service (DoS) attacks. Last time the Storm was released in bulk was during the weeks before the Valentine's Day vacation.
A number of security companies, including McAfee, posted the cartoon character that shows up on clicking the link embedded in the Storm spam mail.
Robert McArdle, researcher from Trend Micro Inc., pointed out how the malware writers do not even care to design an original picture, rather, they copy one from the Web, as reported by ComputerWorld on March 31, 2008.
Related article: Storm Worm Returns with Follow-Up Attack
» SPAMfighter News - 07-04-2008