Security organisations are tracking what's being described as the
largest email attack since last year's
Warezov outbreak, and the second onslaught
this week to steal a page from the
Storm Trojan's playbook.
Adam Swidler, senior manager of solutions marketing for San
Carlos, Calif.-based security vendor Postini Inc., said bot herders
are using the outbreak to expand their array of zombie machines.
Those machines can then be used to push out spam, steal sensitive
data from infected computers or launch other types of attacks.
Initial reports from Postini's global data centers indicate that
Thursday's outbreak has driven malware levels 60 times higher than
average daily levels on the Internet, he added.
 |
| Malware outbreaks: | Stration worm targets Windows machines: The
worm uses several fake email messages, including one claiming to
be a security update. Users are advised to avoid unsolicited
email attachments.
Spam campaign uses Storm-like attack
technique: Spammers used an attack technique much like last
January's "Storm" assault to dupe people into downloading
malware over the weekend. This time, they used fake WWIII
headlines.
Most malware at home on UK and US servers: A new report from
Finjan says more malware is hosted on local servers in the U.S. and
Britain than in countries with less developed e-crime law
enforcement policies.
Tip:
Malware: The changing landscape: Malware is
arguably growing faster than ever before, but not in ways the
industry has come to expect. Even though the days of the
superworm might be numbered, contributor Mike Chapple says it's
time for organisations to adapt their defense
postures.
|
|
| |
|
"IT shops need to block executable and .zip files, and users
should never open an attachment from someone they don't know and
trust," he said.
The outbreak is also
being tracked by the Bethesda, Md.-based SANS
Internet Storm Center (ISC). The
ISC handlers
have gotten a slew of emails with varying subject lines
promising a patch for an unnamed new worm. The messages contain
two attachments: a .zip file that is password-protected, and an
image that includes the password for the .zip archive. Among the
subject lines of the emails are:
- Worm Alert!
- Worm Detected Virus Alert
- ATTN!
- Trojan Detected!
- Worm Activity Detected!
- Spyware Detected!
- Dream of You
The Postini analysis Swidler outlined is similar. The vendor has
intercepted emails with "love-related" subject lines and an
executable attachment that contains a Trojan horse, and emails with
"Worm Alert!" in the headline with an attached .zip file with an
infected payload.
Swidler said Thursday's outbreak was also similar to an attack
earlier this week that used emails with fake messages about missile
attacks starting World War III. "These attacks are all variations
of the same malware family as the
Storm worm that plagued email users around
the world earlier in the year," he said.
When a user clicks on the attached executable, he said, a
rootkit is installed that attempts to hide its presence from virus
scans and disable existing antivirus applications. Then it will
connect to a peer-to-peer (P2P) network where it can upload data
including personal information from the infected computer and
download additional malware. The infected computer then becomes a
zombie that can be used to send spam and issue other attacks. At
the same time that it is connecting to the P2P network, the virus
will search the computer's hard drive for email addresses and begin
replicating itself by sending emails to the addresses that it
finds.
Swidler said the last outbreak of this size was last year's
Warezov attack.