The
Storm worm is generating PDF files to escape detection from
antivirus software and trick employees with emails that look
like business letters, according to researchers at security vendor
MessageLabs.
The PDF trend has greatly reduced the amount of image spam, but
the PDF file format, which is widely used by businesses, is forcing
spam filtering vendors to rapidly develop technology to detect
PDF spam from legitimate PDF files.
While the new emails containing PDFs currently carry
advertisements they could evolve to deliver
malicious code including bot code, said Matt Sergeant, a senior
antispam technologist at the UK-based MessageLabs. The malware
could also be automatically downloaded on the victim's
computer.
This is something we'll be watching out for very closely,"
Sergeant said. "Spammers are always interested in expanding their
bot networks, so it might be something that they try in the near
future."
The Storm worm currently represents about 30% of all spam. Since
January, the Trojan horse has been actively spreading, starting
with emails exploiting concern about major European storms by
adopting a wide variety of fake news headlines in email subject
lines. Finnish antivirus firm F-Secure Corp. said the Trojan horse
started to use kernel-mode rootkit techniques to hide its bot
spreading files, registry keys, and active network connections.
 |
| Storm worm: | Malware outbreak 'largest in almost a year':
Security firm Postini and the SANS Internet Storm Center said
they are tracking a significant malware outbreak. Postini calls
it the biggest email attack in almost a year.
Storm worm keeps spreading: A Trojan that
first exploited concerns about a storm that battered Europe has
broken into new variants with new techniques and a wider range
of fake headlines.
Storm Trojan was worse than it should have
been: The "Storm" attack made a big splash because people
keep falling for social engineering and there was simply little
else in the news, experts
say. |
|
| |
|
The Storm worm also recently misrepresented itself as a greeting
card from family members to trick people into clicking on malicious
URLs in their email inbox. It also tried to use patriotic messages
during the Independence Day holiday to dupe people into getting
infected.
Other security vendors have detected the new Storm worm strain.
Symantec reported a decline in image spam in June. In its monthly
report, the security vendor pointed to a specific PDF spam campaign
as contributing to the decline.
"The PDF attachments result in messages that are very large in
size," Symantec said in its Security Response blog. "We have been
monitoring this throughout the past month, but it has really heated
up this past week. So far, we have observed over 25 million
messages that were categorized as PDF spam."
Symantec said the most prevalent type of PDF spam that was
detected in the month of June was a pump and dump stock scheme.
"Once open, the PDF file displays an image of a stock symbol and
some text indicating it's the one to buy."
The malware's expanding presence had contributed to the
skyrocketing use of image spam, which successfully bypassed many
spam filters, Sergeant said.
"We see very rapid changes from exactly what its behavior is and
it's been able to repurpose itself immediately," Sergeant said. "A
large portion of the entire botnet is being pushed over to PDFs
now."
Sergeant said that IT pros should check to make sure that the
spam filter has PDF capability and inform employees to be
suspicious of PDFs from an unknown sender.
Some current filtering software with PDF capabilities can
identify malicious PDF files by checking the code within the file
to determine the file structure and how it was created. Researchers
are currently trying to develop a better way to eliminate PDF spam,
Sergeant said.