Many home PC users may have been infected after a large-scale sustained
Trojan horse attack that took place over the weekend, security vendors believe.
The Trojan, named "Storm Worm" by antivirus vendor F-Secure, first started
to spread on Friday as extreme storms engulfed Europe. The e-mail claimed to
include breaking news about the weather, in an attempt to get people to download
an executable file.
Over the weekend there were six subsequent waves of the attack, with each
e-mail attempting to lure users into downloading an executable by promising a
topical news story. There were e-mail that purported to carry news of an
as-yet-unconfirmed missile test by the Chinese against one of its weather
satellites, and others reporting that Fidel Castro had died.
Each new wave of e-mail messages carried different versions of the Trojan horse,
according to F-Secure. Each version also contained the capability to be updated,
in an attempt to stay ahead of antivirus vendors.
"When they first came out, these files were pretty much undetectable by most
antivirus programs," said Mikko Hypponen, director of antivirus research at
F-Secure. "The bad guys are putting a lot of effort into it--they were putting out updates hour after hour."
As most businesses tend to strip executable files out of e-mail they
receive, Hypponen said he expected that companies would not be overly affected
by the attacks.
However, F-Secure said that hundreds of thousands of home computers could have been affected across the globe.
Once a user downloads the executable file, the code opens a backdoor in the
machine which that it to be remotely controlled, while installing a rootkit that
hides the malicious program. The compromised machine becomes a zombie in a
network called a botnet. Most botnets are currently controlled through a central
server, which--if found--can be taken down to destroy the botnet. However, this
particular Trojan horse seeds a botnet that acts in a similar way to a
peer-to-peer network, with no centralized control.
Each compromised machine connects to a list of a subset of the entire
botnet--around 30 to 35 other compromised machines, which act as hosts. While
each of the infected hosts share lists of other infected hosts, no one machine
has a full list of the entire botnet--each has only a subset, making it
difficult to gauge the true extent of the zombie network.
This is not the first botnet to use these techniques. However, Hypponen
called this type of botnet "a worrying development".
Antivirus vendor Sophos called Storm Worm the "first big attack of 2007",
with code being spammed out from hundreds of countries. Graham Cluley, senior
technology consultant for Sophos, said the company expected more attacks over
the coming days, and that the botnet would most likely be hired out for
spamming, adware propagation, or be sold to extortionists to launch distributed denial-of-service attacks.
The recent trend has been toward highly targeted attacks on individual
institutions. Mail services vendor MessageLabs said that this current malicious
campaign was "very aggressive", and said that the gang responsible was probably
a new entrant to the scene, hoping to make its mark.
None of the anti-malware companies interviewed said they knew who was
responsible for the attacks, or where they had been launched from.