‘Storm’ Pops Up Ads Asking for Investment in Weak Stocks

With an unexpected pop-up advertisement on Windows, luring users to buy penny stocks of a company not clearly discussed, there are good chances that the forceful Storm worm has infected their computers. The nasty worm has as many as 200,000 PCs under its command and control.

The newly infected machines added to empower the Storm-created botnet are used to send out malware-laced spam messages making them self-spamming devices. Receivers of the pop-up advertisement, which executes on the basis of an external command, would find being encouraged to invest in a stock of a sparsely traded organization called Hemisphere Gold Inc.

Spotting the Storm and cleaning its infestation could be quite difficult as it sends with it a rootkit program that includes a series of computer commands to conceal the malware-infected files and system processes that execute the Storm worm's activities.

As the Storm infects, it inserts the rootkit into the Windows drivers and processes. The driver is 'tcpip.sys' that handles the primary networking operations on Windows-loaded systems.

So to catch the Storm, people would have to rely on their anti-malware vendors to get their machines updated so that the Storm variant becomes detectable. Alternatively, they would have to hire an expert to find the worm and clean it from their machines.

The Storm technique makes other attempts too like the MP3 spam. This tricks unsuspecting recipients into buying penny stocks whose fluctuating value can make a steep jump with even a small trading amount.

Senior Security Researcher Joe Stewart at SecureWorks said, the Storm creators appear to make new intermittent attempts to sell such stocks. They try to target as many users as possible who might agree to invest and purchase these stocks. SCMagazine published this on November 14, 2007.

However, there are chances for this new technique to backfire, when users realize the infection in their machines and remove the worm, said Principal Security Strategist Josh Corman at IBM ISS. SCMagazine published this.

The attackers, as of now, are content with their penny stock tricks. Their next strategy could be hosting malicious executables on Geocities Web pages, according to Stewart.

Related article: “Loopholes did not cause online banking thefts”: ICBC

» SPAMfighter News - 11/29/2007