Virus alert - Storm Worm

[JonB2]

The first big attack of 2007

Many home PC users may have been infected after a large-scale sustained Trojan horse attack that took place over the weekend, security vendors believe.

The Trojan, named 'Storm Worm' by antivirus vendor F-Secure, first started to spread last Friday as extreme storms engulfed Europe. The email claimed to include breaking news about the weather, in an attempt to get people to download an executable file.

Over the weekend there were six subsequent waves of the attack, with each email attempting to lure users into downloading an executable by promising a topical news story. There were emails that purported to carry news of an as-yet-unconfirmed missile test by the Chinese against one of its weather satellites, and emails reporting that Fidel Castro had died.

Each new wave of emails carried different versions of the Trojan horse, according to F-Secure. Each version also contained the capability to be updated, in an attempt to stay ahead of antivirus vendors.

Mikko Hypponen, director of antivirus research at F-Secure, said: "When they first came out, these files were pretty much undetectable by most antivirus programs. The bad guys are putting a lot of effort into it - they were putting out updates hour after hour."

As most businesses tend to strip executable files out of emails they receive, Hypponen said he expected companies would not be overly affected by the attacks.

However, F-Secure said hundreds of thousands of home computers could have been affected across the globe.

Once a user downloads the executable file, the code opens a backdoor in the machine which means it can be remotely controlled, while installing a rootkit that hides the malicious program. The compromised machine becomes a zombie in a network called a botnet. Most botnets are currently controlled through a central server, which - if found - can be taken down to destroy the botnet. However, this particular Trojan horse seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralised control.

This is not the first botnet to use these techniques. However, Hypponen called this type of decentralised botnet "a worrying development".

Antivirus vendor Sophos called Storm Worm the "first big attack of 2007", with code being spammed out from hundreds of countries. Graham Cluley, senior technology consultant for Sophos, said the company expected more attacks over the coming days, and said the botnet would most likely be hired out for spamming and adware propagation, or be sold to extortionists to launch distributed denial of service attacks.

The recent trend has been toward highly targeted attacks on individual institutions. Mail services vendor MessageLabs said this current malicious campaign is "very aggressive" and said the gang responsible is probably a new entrant to the scene, hoping to make its mark.

None of the anti-malware companies interviewed said they knew who was responsible for the attacks, or where they had been launched from.

JB