Spam Uses Storm Trojan to Strike Attacks

A spam using greeting cards is drawing users to sites where the attacks occur. The scam works in a sophisticated style using multiple exploits to infect computers, said security professionals on June 29, 2007, and Help Net Security published it on June 29, 2007.

Some sample spam mails have shown the same subject title with links to an evil site, which has embedded JavaScript that checks for an enabled scripting on the victim's browser.

According to Internet Storm Center (ISC) many anti-virus vendors were able to tentatively thwart the malware, the Storm Trojan that infects the computers. This worm has been circulating since early 2007 with aggressive attempts to hijack PCs to use them as bots.

ISC has warned that after the Storm or Peacom compromises the computers, attackers are using them to host the malware. Also, they are using the IP addresses of those PCs in rotation to send their spam.

SANS Institute's ISC issued an alert that the disabled JavaScript provides a link, which on clicking generates an exploit. Since scripting is a common attack vector, some users turn it off. Browsers with active JavaScript usually receive a package of downloads and malware.

The quick examining process of the browser in this attack is nearly similar to the one used in a different exploit that Symantec has tracked. However, there is no relation between the two, said Oliver Friedrichs, director of security response group at Symantec, as reported by ChannelWorld on June 29, 2007.

Hackers have not dropped their tendency to embed malware in e-mails and then victimize innocent users as they click on the attachments, said Friedrichs. However, the current trend is for malware-hosting websites. The reason is the difficulty in e-mailing malicious files. For, savvy users are hesitant to open files they suspect as also the prevalence of security software that filter and block malware-loaded files discourage spamming.

Attacks, which direct the user to several IP addresses, are widespread. They don't use just one server; there are a number of exploits and the e-mail is without any attachments, said Shimon Gruper, VP of security company Aladdin Knowledge Systems Inc.

Related article: Spam Scam Bags a Scottish Connection

» SPAMfighter News - 7/9/2007