Storm rages again: Self-morphing Trojan uses blogs to spread rootkits
A new variant of the Storm Trojan that changes with each download is infecting blog sites with malicious URLs, intercepting traffic when visitors try to post comments.
Dmitri Alperovitch, principal research scientist at San Jose, Calif.-based Secure Computing, said the malware is dropped onto the targeted machine as a rootkit and attempts to capture and modify Web traffic via the operating system. Alperovitch said Secure Computing is working with law enforcement officials to curtail the malware by shutting down its hosting server, which appears to be located in New Jersey.
The variant is also using server polymorphism, automatically changing its code whenever it is downloaded. This allows the malware to escape traditional signature-based antivirus sensors.
"Variants of this malware have traditionally been spread by email, but this version has the added Web component," Alperovitch said. "Whenever the attackers see a command that looks like the user is posting a message to a blog, they try to intercept the traffic and inject their own malicious message in there."
The line that is being inserted asks readers to look at a "fun video." If a victim clicks the link, he or she is directed to a Web site where more malware can be dropped onto the victim's machine. Once a machine is infected, he said, it can be used to run keyloggers, cause a distributed denial of service or blast out spam.
If a blog users look at postings and sees content that wasn't included by them, Alperovitch said it's a pretty good indication that they've been infected. What's more, multiple users can be hit simultaneously when participating in group discussions in a Web forum.
"You could have a discussion among several people on a Web board, and someone can say 'Check out this fun video,'" Alperovitch said. "It's really a clever bit of social engineering."
Using Google, Alperovitch has been able to locate several hundred postings that already contain malicious links. Chances are that more infections are going undetected, he said. Secure Computing is keeping an eye on six Estonian-based domains so far.
Alperovitch said users can protect themselves by avoiding untrusted Web sites and viewing videos on a site like Youtube, instead of doing so on random Web pages.
The Storm Trojan first appeared in January, spreading in emails that looked to exploit concern about European storms that were wreaking havoc across the continent at the time.
Symantec gave the original strike a rare risk rating of three and declared it the worst malware outbreak since 2005. The firm flags most malware with a rating of one or two.
