The Storm Worm would love to infect you

Summary:The Storm Worm malware is back in the game, with its most recent campaign currently active and trying to entice users into executing iloveyou.exe by spamming them with links to already infected hosts acting as web servers, next to SQL injecting malicious domains into legitimate sites for the campaign to scale faster.

The Storm Worm malware is back in the game, with its most recent campaign currently active and trying to entice users into executing iloveyou.exe by spamming them with links to already infected hosts acting as web servers, next to SQL injecting malicious domains into legitimate sites for the campaign to scale faster.

The Storm Worm Malware

What has changed compared to previous campaigns? Storm Worm is back in the SQL injection attack phrase, with tellicolakerealty .cn/ind.php iframe injected at a small of sites for the time being. Moreover, assessing the storm worm infected hosts can only be done if you spoof your user agent to Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921), otherwise you will get no indication for any kind of malicious activity going on. Furthermore, despite that there are no exploits used at the infected hosts but, a heavily obfuscated HTML/Rce.Gen was detected in their injected domain which would load automatically upon someone visiting an already injected site.

The Storm Worm Malware

These are the most recent detection rates for both, the binary, and the javascript obfuscation :

Javascript obfuscation Scanners result : 6/32 (18.75%) HTML/Rce.Gen; Packed.JS.Agent.a

iloveyou.exe Scanners result : 10/32 (31.25%) Email-Worm.Win32.Zhelatin.yu; Trojan.Peed.PJ

Compared to the previous event-based social engineering campaigns on behalf of Storm Worm, the latest wave of malware isn't thematic at all. It remains to be seen whether or not they would start emphasizing on SQL injections to acquire new infected hosts given the success of the copycats and the Asprox botnet, or continue using email as the primary distribution vector.

Topics: Malware, Browser, Hardware, Security, Servers, Software, Windows

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.