Storm e-mail worm evolves as it wreaks havoc on Net

August 3rd, 2007

USA TODAY

By Byron Acohido, USA TODAY

Find the original copy of this article here.

LAS VEGAS — Like a summer cyclone gathering force, the Storm e-mail worm is casting an expanding shadow on the Internet.

Storm first spread to e-mail in-boxes in Europe and the USA in January — enticing recipients to click on a link for a fake news story about a deadly storm or other dramatic event. Clicking on the link turned the PC over to Storm’s controller.

As security companies began blocking such e-mail, Storm instead started sending out links to tainted e-cards purportedly from family or friends.

“It’s the perfect example of the cat-and-mouse game where the author modifies the threat to stay ahead,” says Ben Greenbaum, senior research at anti-virus supplier Symantec. (SYMC)

At the Black Hat security conference here, Atlanta-based security firm SecureWorks said Thursday that it has blocked 20 million copies of Storm from hitting e-mail in-boxes at its 1,800 clients since June.

New versions of Storm continue to swamp e-mail in-boxes. Clicking a tainted link causes the victim’s PC to be quietly added to a sprawling network of infected “bot” PCs, says SecureWorks senior researcher Joe Stewart.

Storm’s controller has used this bot network to relay millions of e-mail messages hyping cheap shares in obscure public companies. The crooks, of course, own shares in the companies. Once the spam drives up the price, they dump the shares at a profit.

Stewart has done groundbreaking work tracking Storm’s pump-and-dump activities. The number of active Storm bots zoomed to 1.7 million by the end of July, up from 2,815 at the end of May.

Security firms have tried to stem Storm’s damage by setting up virtual computers, called honeypots, to receive the e-mails carrying fake e-cards. Filters can then be put in place to block such e-mail. But Storm’s author quickly adjusted. The latest version detects virtual machines and does not infect them.

None of the techniques Storm’s author has used are new. But combining them toward a single goal has never been done on this scale.

“They are sending it out very aggressively,” says Mikko Hypponen, senior researcher at anti-virus firm F-Secure.

Storm has resulted in far and away the largest bot network ever measured, Stewart says. He worries that the author has other profit-making activities in mind.

“It could be the hacker is rapidly building up the botnet so it can be leased to other hackers, so that they can launch massive attacks against whatever target they choose,” he says.

Stewart’s advice: Keep anti-virus software up to date and be suspicious of any e-mail attachment or link, even from what appears to be a familiar source.