Storm worm gets blogging
"Dude, what if your wife finds this? - Man you have got to tell me where you picked her up. I saw this on the web, it has to be you. see for yourself... http://www.youtube.com/watch?v=xxxxxxxxx" – blog entries such as this are currently appearing en masse, especially on Google's Blogspot. The entries are from new variants of the storm worm trojan, which is now looking for new victims in the blogosphere.
Since last weekend the storm-worm-mails changed from greeting card e-mails with malware attached to the YouTube scam. The e-mails appear to contain a link to a YouTube video, but in fact direct users to a numeric IP address. The web page includes the YouTube logo and a message that the download should start in a few seconds, or alternatively users can click on a link to the alleged video on the web page themselves. The download does not of course contain a YouTube video, instead the file video.exe conceals a variant of the storm worm. According to Sophos, there is another new variant which claims to link to a previously unreleased music video on YouTube.
Blog entries containing the same text and links as the YouTube malware e-mails have now turned up. In this case too, the apparent YouTube link actually directs users to a numeric IP address. Searching Google for subject lines typically used by e-mails containing the fake YouTube links turns up numerous "contaminated" blog entries. The links to the supposed videos mostly lead nowhere, as they appear to be referencing dynamically assigned IP addresses of infected computers and these computers are at the time either offline or have already been assigned a different IP address. Should users stumble upon a working link despite this, they should definitely avoid downloading the proffered file in order not to run the risk of infecting their computers.
How the storm worm is able to create these blog entries is, however, not clear. Automatic blog spamming tools such as xRumer, which is able to circumvent security mechanisms such as captchas and logins in order to dump spam comments in forums and blogs, are not unknown - xRumer is available for 450 US dollars. However the storm worm blog entries are not entered as comments, they are actual blog entries. One possibility is that the trojan has sniffed out access data for the blogs on infected computers.
In order to protect themselves from infection with the storm worm, users should exercise caution when opening e-mails and should not execute any attachments. They should also treat links within e-mails with scepticism. It is also advisable to ensure that all security updates have been installed and that up-to-date anti-virus software is being used. Further information on malware protection can be found on the heise Security anti-virus pages.
- Storm worm botnet with over 1.7 million drones, report by heise Security from 8th August 2007
- Another Storm caught on video?, blog entry on Trend Micro's blog
- OMG, check out the new video!, report on the Sophos blog
- Storm worm hits Blogger, blog entry on Sunbelt's Blog
- Google search for blog entries by the storm worm
- "Advertising video" for xRumer, an automatic blog spamming tool