Secure Computing Corp. warned Tuesday that attackers are using a
new variant of the
Storm Trojan horse to insert insidious URLs in blogs,
intercepting traffic when visitors try to post comments.
Dmitri Alperovitch, principal research scientist at San Jose,
Calif.-based Secure Computing, said the malware is dropped onto the
targeted machine as a rootkit and attempts to capture and modify
Web traffic via the operating system. Alperovitch said Secure
Computing is working with law enforcement officials to curtail the
malware by shutting down its hosting server, which appears to be
located in New Jersey.
The variant is also using server polymorphism, automatically
changing its code whenever it is downloaded. This allows the
malware to escape traditional signature-based antivirus
sensors.
"Variants of this malware have traditionally been spread by
email, but this version has the added Web component," Alperovitch
said. "Whenever the attackers see a command that looks like the
user is posting a message to a blog, they try to intercept the
traffic and inject their own malicious message in there."
The line that is being inserted asks readers to look at a "fun
video." If a victim clicks the link, he or she is directed to a Web
site where more malware can be dropped onto the victim's machine.
Once a machine is infected, he said, it can be used to run
keyloggers, cause a distributed denial of service or blast out
spam.
If a blog users look at postings and sees content that wasn't
included by them, Alperovitch said it's a pretty good indication
that they've been infected. What's more, multiple users can be hit
simultaneously when participating in group discussions in a Web
forum.
"You could have a discussion among several people on a Web
board, and someone can say 'Check out this fun video,'" Alperovitch
said. "It's really a clever bit of social engineering."
Using Google, Alperovitch has been able to locate several
hundred postings that already contain malicious links. Chances are
that more infections are going undetected, he said. Secure
Computing is keeping an eye on six Estonian-based domains so
far.
Alperovitch said users can protect themselves by avoiding
untrusted Web sites and viewing videos on a site like Youtube,
instead of doing so on random Web pages.
The
Storm Trojan first appeared in January, spreading in emails
that looked to exploit concern about European storms that were
wreaking havoc across the continent at the time.
Symantec gave the original strike a rare risk rating of three
and declared it the worst malware outbreak since 2005. The firm
flags most malware with a rating of one or two.