Symantec: Evolved Storm worm attack brewing

The malware which contributes compromised machines to the Storm botnet now has two further possible avenues of attack, claims Symantec
Written by Tom Espiner, Contributor

Security vendor Symantec has warned that the Storm worm, the malware which contributes to the Storm botnet, is continuing to evolve and now has two further possible avenues of attack.

A number of nascent Storm hosting domains using fast-flux techniques to mask their URLs have been identified by the security company, which issued a warning on Monday. Fast-flux service networks are networks of compromised computer systems with public DNS records that are constantly changing, making it more difficult to track and control criminal activities.

The security vendor claimed that these domains so far do not directly attempt to upload attack code. However, modifying the URL runs a script which attempts to exploit vulnerabilities in various applications, including Microsoft Internet Explorer, RealNetworks RealPlayer, AOL and MySpace.

The two possible avenues of attack are spam with links to the as-yet-unlinked-to fast-flux sites or injecting malicious iFrame tags into legitimate websites, which would download malware onto users' machines, warned Symantec. However no such spam has been reported, the security specialist claimed.

"What's interesting about this is that we have yet to come across any spam that may result in people visiting these domains," wrote Symantec vulnerability researcher Vikram Thakur in a blog post. "This is very unusual. It is also interesting to note the move from simply using social-engineering techniques to spread malware to actually exploiting vulnerabilities. In the past, the Storm worm authors would directly link to malware on websites or within spam emails. The malware wouldn't check for any particular vulnerability before planting its seed."

Thakur noted that third-party applications rather than operating-system vulnerabilities were being targeted but that "only time will allow the method employed in this wave of attacks to be confirmed".

Some security vendors have reported that the influence of Storm is waning. Storm researcher Jon Stewart, director of malware research for security vendor SecureWorks, wrote on 8 April that the Storm botnet was "only a fraction of its former self and is rapidly becoming a minor player." However, Stewart noted that the botnet was still capable of sending over three billion spams per day.

The Storm worm botnet, a network of compromised computers, has been estimated to control between one million and five million machines, which one researcher said makes it more powerful than IBM's Blue Gene/L supercomputer. The original Storm worm code, which appeared on 19 January, 2007, derived its name from the fact that the first spam linking to the malware coincided with a severe winter storm in Europe.

Editorial standards