Storm Worm Shows New Behavior

A flood of spam mails is inundating the Internet that lies about promises of providing information relating to winter storms that devastated Northern Europe in January 2007. The creators of the spam mails have crafted them with Trojan making them more dangerous than what people could imagine. Joe Stewart at SecureWorks reported that the worm's sophistication level has hardly been noticed. Therefore, there are chances of its resurfacing as new variants. The worm drops rootkits, connects to other copies by using P2P networking and operates a DDoS attack and has many other features.

The Storm Worm initiated DDoS attacks on a number of websites encouraging spam, anti-spam and just any other malicious activity that the perpetrators find attractive. Apparently, worm creators have released variants of the same malware family using the same technique during November, December and early January.

The Storm Worm drew awe and attention of specialists in the security industry for its infallible ability to merge social networking with technical prowess. Soon after the brutal storms struck Europe, the e-mail attacked showing subject lines such as "230 dead as storm batters Europe". Unfortunately, many recipients posed trust on the e-mail. Later the worm arrived in at least six variations using other subject lines.

According to Stewart, Storm Worm belongs to the Win32/Newar family of worms that proliferated in early November last year. At that time many were unaware that the Storm Worm planted a DDoS attack tool on various websites creating havoc for them. One of them was Spamnation.info, which devotes to combating the spam menace. The worm also downloaded payloads via the eDonkey/Overnet P2P protocol and mechanisms that kept the download sites open.

These attacks appear to come from at least three unrelated botnets, said Stewart. As spam war takes new heights, the successful attack on BlueFrog in 2006 might have encouraged new spammers. The attack disabled a service that was trying to interfere with the spammers' business. This attack or even older ones that disabled certain DNS blocklists had no repercussions. That encourages spammers' preparedness and ability to pounce on anyone who obstructs their activities, concluded Stewart.

Related article: Storm Worm Returns with Follow-Up Attack

» SPAMfighter News - 2/21/2007