Spammers tweak Storm worm to push PDF spam

The Storm worm is generating PDF files to escape detection from antivirus software and trick employees with emails that look like business letters, according to researchers at security vendor MessageLabs.

The PDF trend has greatly reduced the amount of image spam, but the PDF file format, which is widely used by businesses, is forcing spam filtering vendors to rapidly develop technology to detect PDF spam from legitimate PDF files.

While the new emails containing PDFs currently carry advertisements they could evolve to deliver malicious code including bot code, said Matt Sergeant, a senior antispam technologist at the UK-based MessageLabs. The malware could also be automatically downloaded on the victim's computer.

This is something we'll be watching out for very closely," Sergeant said. "Spammers are always interested in expanding their bot networks, so it might be something that they try in the near future."

The Storm worm currently represents about 30% of all spam. Since January, the Trojan horse has been actively spreading, starting with emails exploiting concern about major European storms by adopting a wide variety of fake news headlines in email subject lines. Finnish antivirus firm F-Secure Corp. said the Trojan horse started to use kernel-mode rootkit techniques to hide its bot spreading files, registry keys, and active network connections.

Storm worm: Malware outbreak 'largest in almost a year': Security firm Postini and the SANS Internet Storm Center said they are tracking a significant malware outbreak. Postini calls it the biggest email attack in almost a year. Storm worm keeps spreading: A Trojan that first exploited concerns about a storm that battered Europe has broken into new variants with new techniques and a wider range of fake headlines. Storm Trojan was worse than it should have been: The "Storm" attack made a big splash because people keep falling for social engineering and there was simply little else in the news, experts say.

The Storm worm also recently misrepresented itself as a greeting card from family members to trick people into clicking on malicious URLs in their email inbox. It also tried to use patriotic messages during the Independence Day holiday to dupe people into getting infected.

Other security vendors have detected the new Storm worm strain. Symantec reported a decline in image spam in June. In its monthly report, the security vendor pointed to a specific PDF spam campaign as contributing to the decline.

"The PDF attachments result in messages that are very large in size," Symantec said in its Security Response blog. "We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam."

Symantec said the most prevalent type of PDF spam that was detected in the month of June was a pump and dump stock scheme. "Once open, the PDF file displays an image of a stock symbol and some text indicating it's the one to buy."

The malware's expanding presence had contributed to the skyrocketing use of image spam, which successfully bypassed many spam filters, Sergeant said.

"We see very rapid changes from exactly what its behavior is and it's been able to repurpose itself immediately," Sergeant said. "A large portion of the entire botnet is being pushed over to PDFs now."

Sergeant said that IT pros should check to make sure that the spam filter has PDF capability and inform employees to be suspicious of PDFs from an unknown sender.

Some current filtering software with PDF capabilities can identify malicious PDF files by checking the code within the file to determine the file structure and how it was created. Researchers are currently trying to develop a better way to eliminate PDF spam, Sergeant said.