Storm Trojan variant spreads in blogs, forums, Webmail

A new variant of the "Storm" Trojan is injecting its 'invitation' into blogs, Web-based message forums and Webmail.


A new variant of the "Storm" Trojan is injecting its 'invitation' into blogs, Web-based message forums and Webmail.

Dmitri Alperovitch, principal research scientist at Secure Computing, said Tuesday that the Trojan -- best known as the "Storm worm" but also dubbed "Peacomm" and other names by anti-virus vendors -- is using a novel approach to spread. "This is a really neat twist, through the Web channel," said Alperovitch.

An initial infection is still carried out via e-mail, which offers a link that when clicked downloads a number of malware components to a victim’s machine. Once on a PC, however, the malicious code injects itself into the network stack as a rootkit and analyses all outbound Web traffic

"It has hooks for boards, e-mail, and blogs," said Alperovitch. When a user on an infected PC posts a message to a forum or blog, or sends a message via popular Web-based mail services such as Hotmail, Gmail, and Yahoo Mail the Trojan adds text to the entry or message.

"It inserts 'Have you seen this link?' along with a link to what seems to be a video," Alperovitch said. Anyone clicking on the link will only find their system infected.

The Trojan is not targeting particular sites. Instead, the “code is generic enough to work on lots of sites." Secure Computing has seen evidence of the bogus posting on messages forums, including one for Men's Health, as well as "thousands of blog entries," said Alperovitch.

Donal Casey, security consultant, at services firm Morse, urged businesses to consider blocking access to blogs and bulletin boards to prevent the inadvertent downloading of malicious content.

“If access to the most common blog and bulletin board websites can’t be blocked for business reasons then organisations need to use technology that can assess if a website contains malicious content and either remove the content before the page is displayed or block access to the entire website if it is detected.”

The Trojan has been making the rounds since late January. It received the "storm" name after the subject line of the initial emails, which referred to a wave of bad weather sweeping across Europe at the time.

Since then, it has been collecting compromised PCs into a botnet that can be used for sending spam. Other malware downloaded to infected machines tries to steal passwords or uses the PC to launch distributed denial-of-service (DDoS) attacks.

"Recommended For You"

Barclays and Bank of Scotland customers targeted in Storm phishing attack Storm spam poses as site confirmation