/>
X

Storm worming its way through love

After a hiatus, the gang behind the Storm worm is attempting to exploit people's curiosity about a fictional love interest to tempt users into downloading the malware, according to security training organisation the Sans Institute.
tom-espiner.jpg
Written by Tom Espiner, Senior Reporter on

After a hiatus, the gang behind the Storm worm is attempting to exploit people's curiosity about a fictional love interest to tempt users into downloading the malware, according to security training organisation the Sans Institute.

Donald Smith, a security expert from the Sans Institute, warned on Tuesday that a Storm worm download site had been detected by security researcher "DavidF". A link that contained the site's IP address was being spammed out in emails, wrote Smith in a blog post.

He noted that spam is being sent with the message: "'Crazy in love with you' hxxp://122.118.131.58". Smith wrote: "I checked that site and could only find an index.html, lr.gif and loveyou.exe."

Smith said that index.html encourages visitors to run the "loveyou" executable by asking: "Who is loving you? Do you want to know? Just click here and choose either 'open' or 'run'." Loveyou.exe is a version of the Storm worm, also known as Trojan.Peacomm.D by Symantec and Troj/Dorf-AP by Sophos. Smith recommended IT professionals block the IP address until it gets "cleaned up".

The unknown gang behind the Storm botnet tried a similar technique in January in the run up to Valentine's Day. At the time, Sophos warned that the gang was using a social-engineering technique in an attempt to trick users into clicking on a link in a "Valentine's Day" email.

Storm worm attacks then dropped off, leading some security vendors to report that the influence of Storm worm was waning. However, in May, Symantec researchers warned they had identified a number of nascent Storm worm hosting domains using fast-flux techniques to mask their URLs.

The original Storm worm code, which appeared on 19 January, 2007, derived its name from the fact that the first spam linking to the malware coincided with a severe winter storm in Europe.

Related

This is the ultimate security key. Here's why you need one
Yubikey 5C NFC

This is the ultimate security key. Here's why you need one

Security
Azure's capacity limitations are continuing. What can customers do?
azurecapacitylimits

Azure's capacity limitations are continuing. What can customers do?

Cloud
Four more apps that infected thousands of Android devices with malware removed from Google Play store
a-concerned-woman-looking-at-her-smartphone-getty.jpg

Four more apps that infected thousands of Android devices with malware removed from Google Play store

Innovation