Storm Worm is Back!!!
June 2008
Storm worm resurfaces, tries love angle again. After a hiatus, the gang behind the Storm worm is attempting to exploit people’s curiosity about a fictional love interest to tempt users into downloading the malware, according to security training organization the Sans Institute. A security expert from the Sans Institute warned on Tuesday that a Storm worm download site had been detected by security researcher ‘DavidF’. A link that contained the site’s IP address was being spammed out in emails, he wrote in a blog post. He noted that spam is being sent with the message: “‘Crazy in love with you’ hxxp://122.118.131.58”. He wrote: “I checked that site and could only find an index.html, lr.gif and loveyou.exe.” The researcher said that index.html encourages visitors to run the ‘loveyou’ executable by asking: “Who is loving you? Do you want to know? Just click here and choose either ‘open’ or ‘run’.” Loveyou.exe is a version of the Storm worm, also known as Trojan.Peacomm.D by Symantec and Troj/Dorf-AP by Sophos. He recommended IT professionals block the IP address until it gets “cleaned up”. The unknown gang behind the Storm botnet tried a similar technique in January in the run up to Valentine’s Day. At the time, Sophos warned that the gang was using a social-engineering technique in an attempt to trick users into clicking on a link in a ‘Valentine’s Day’ email. Storm worm attacks then dropped off, leading some security vendors to report that the influence of Storm worm was waning. However, in May, Symantec researchers warned they had identified a number of nascent Storm worm hosting domains using fast-flux techniques to mask their URLs.
Storm worm resurfaces, tries love angle again. After a hiatus, the gang behind the Storm worm is attempting to exploit people’s curiosity about a fictional love interest to tempt users into downloading the malware, according to security training organization the Sans Institute. A security expert from the Sans Institute warned on Tuesday that a Storm worm download site had been detected by security researcher ‘DavidF’. A link that contained the site’s IP address was being spammed out in emails, he wrote in a blog post. He noted that spam is being sent with the message: “‘Crazy in love with you’ hxxp://122.118.131.58”. He wrote: “I checked that site and could only find an index.html, lr.gif and loveyou.exe.” The researcher said that index.html encourages visitors to run the ‘loveyou’ executable by asking: “Who is loving you? Do you want to know? Just click here and choose either ‘open’ or ‘run’.” Loveyou.exe is a version of the Storm worm, also known as Trojan.Peacomm.D by Symantec and Troj/Dorf-AP by Sophos. He recommended IT professionals block the IP address until it gets “cleaned up”. The unknown gang behind the Storm botnet tried a similar technique in January in the run up to Valentine’s Day. At the time, Sophos warned that the gang was using a social-engineering technique in an attempt to trick users into clicking on a link in a ‘Valentine’s Day’ email. Storm worm attacks then dropped off, leading some security vendors to report that the influence of Storm worm was waning. However, in May, Symantec researchers warned they had identified a number of nascent Storm worm hosting domains using fast-flux techniques to mask their URLs.
posted by arkietechs at 12:53 PM
0 Comments:
Post a Comment
<< Home