Spam campaign uses Storm-like attack technique

I don't see this as very monumental, but shops that have problems with users opening .exe attachments should be aware. John Bambenek, Volunteer handlerSANS Internet Storm Center

But one security expert said this latest attack will probably fizzle due to a case of bad timing.

Several security organizations warned over the weekend of a new spam campaign using a variation of World War III headlines that play on tensions between the U.S. and Iran. Some of the headlines include: 'USA Just Have Started World War III," "Missle Strike: The USA kills more then 20000 Iranian citizens," "Israel Just Have Started World War III" and "USA Missile Strike: Iran War just have started."

By comparison, the Storm attack relied on email headlines exploiting a severe weather system that was wreaking havoc in Europe at the time. The attack expanded its repertoire with headlines claiming that Saddam Hussein was still alive and that Russian and Chinese missiles had been used to shoot down a U.S. satellite. The emails included malicious attachments that would infect the victim's machine if they clicked on it.

Helsinki, Finland-based F-Secure Corp. said emails in this latest attack have a malicious executable attached under such tags as "video.exe" or "movie.exe." The Bethesda, Md.-based SANS Internet Storm Center (ISC) received reports of additional attachment names like "click here.exe," "clickme.exe," "readme.exe" and "read more.exe."

Storm worm: Storm worm keeps spreading: A Trojan horse that started spreading in emails exploiting concern about European storms continued its advance over the weekend by adopting a wider variety of fake news headlines, according to Finnish antivirus firm F-Secure Corp. Ten emerging malware trends for 2007: From phishing threats to zero-day flaws, hackers have certainly developed many sophisticated ways to exploit vulnerabilities for their gain. And, as SearchSecurity.com's information security expert Ed Skoudis reveals the 2007 outlook.

John Bambenek, a Champaign, Ill.-based security professional who volunteers as a handler at the ISC, said the attackers are using one of the oldest tricks in the book and that most IT shops and users should know enough by now to avoid the trap.

"I don't see this as very monumental, but shops that have problems with users opening .exe attachments should be aware," he said. In an attack like this, Bambenek said three factors can help the bad guys: IT administrators failing to block .exe attachments, antivirus vendors being too slow in recognizing the threat and updating their signatures; and users clicking on unsolicited attachments.

Attackers may have had better luck this time around if their sense of timing were better, he said.

"This would have had more effect if were released Monday morning when people are in work and are more likely to do something stupid because they haven't had their coffee yet," Bambeneck said. "In this case, it was Easter Sunday and who's going to be in the office at that point?"

He said the ISC initially gave the attack attention because most antivirus vendors hadn't recognized the threat and updated their malware signatures accordingly. By Monday morning, however, most had done so.