Malware outbreak 'largest in almost a year'

Security firm Postini and the SANS Internet Storm Center said they are tracking a significant malware outbreak. Postini calls it the biggest email attack in almost a year.

Security organisations are tracking what's being described as the largest email attack since last year's Warezov outbreak, and the second onslaught this week to steal a page from the Storm Trojan's playbook.

Adam Swidler, senior manager of solutions marketing for San Carlos, Calif.-based security vendor Postini Inc., said bot herders are using the outbreak to expand their array of zombie machines. Those machines can then be used to push out spam, steal sensitive data from infected computers or launch other types of attacks. Initial reports from Postini's global data centers indicate that Thursday's outbreak has driven malware levels 60 times higher than average daily levels on the Internet, he added.

Malware outbreaks:
Stration worm targets Windows machines: The worm uses several fake email messages, including one claiming to be a security update. Users are advised to avoid unsolicited email attachments.

Spam campaign uses Storm-like attack technique: Spammers used an attack technique much like last January's "Storm" assault to dupe people into downloading malware over the weekend. This time, they used fake WWIII headlines.

Most malware at home on UK and US servers: A new report from Finjan says more malware is hosted on local servers in the U.S. and Britain than in countries with less developed e-crime law enforcement policies.

Tip: Malware: The changing landscape: Malware is arguably growing faster than ever before, but not in ways the industry has come to expect. Even though the days of the superworm might be numbered, contributor Mike Chapple says it's time for organisations to adapt their defense postures.

"IT shops need to block executable and .zip files, and users should never open an attachment from someone they don't know and trust," he said.

The outbreak is also being tracked by the Bethesda, Md.-based SANS Internet Storm Center (ISC). The ISC handlers have gotten a slew of emails with varying subject lines promising a patch for an unnamed new worm. The messages contain two attachments: a .zip file that is password-protected, and an image that includes the password for the .zip archive. Among the subject lines of the emails are:

  • Worm Alert!
  • Worm Detected Virus Alert
  • ATTN!
  • Trojan Detected!
  • Worm Activity Detected!
  • Spyware Detected!
  • Dream of You

The Postini analysis Swidler outlined is similar. The vendor has intercepted emails with "love-related" subject lines and an executable attachment that contains a Trojan horse, and emails with "Worm Alert!" in the headline with an attached .zip file with an infected payload.

Swidler said Thursday's outbreak was also similar to an attack earlier this week that used emails with fake messages about missile attacks starting World War III. "These attacks are all variations of the same malware family as the Storm worm that plagued email users around the world earlier in the year," he said.

When a user clicks on the attached executable, he said, a rootkit is installed that attempts to hide its presence from virus scans and disable existing antivirus applications. Then it will connect to a peer-to-peer (P2P) network where it can upload data including personal information from the infected computer and download additional malware. The infected computer then becomes a zombie that can be used to send spam and issue other attacks. At the same time that it is connecting to the P2P network, the virus will search the computer's hard drive for email addresses and begin replicating itself by sending emails to the addresses that it finds.

Swidler said the last outbreak of this size was last year's Warezov attack.

Read more on Hackers and cybercrime prevention