As the Storm Worm Turns, Beware of Hijacked PCs and More Spam

Printer-friendly version Email this CRN article



Symantec's Security Response blog is reporting that subtle changes in the "Storm worm," the trojan that brought us the "halloween.exe" attacks this week, is showing signs of subtle changes that, at first, make it look like it's becoming more benign. Until the experts looked a little closer:


Specifically, the threat no longer;

1. infects other legitimate drivers on the system. Previous variants infected drivers such as Tcpip.sys and Kbdclass.sys. This was a stealth-like feature used by the threat to start early with the operating system and without loading points in the Windows Registry.


2. injects itself into legitimate processes like Explorer.exe and Services.exe.


But then they figured out this:


The changes suggest that the authors wanted to discard some external dependencies they had on legitimate system components. This may have been in an effort to reduce complexity and hints that perhaps there were stability issues with the previous variant in terms of manipulating legitimate system drivers. In other words the authors are going back to basics. They are streamlining the threat, making it less complex, and more stable. It is also likely that by simplifying the underlying architecture that it will be easier to update it in future.


It's likely, they write, that it's likely to see "infection rates" continuing steadily and that "it doesn't look like it's petering out any time soon."

Keep that thought in mind when you check your email inbox, and notice the amount of spam that needs tackling. Marshall Trace, which tracks worldwide spam, is on record with this: "We estimate that up to 20 percent, perhaps more, of the total spam we see originates from the Storm botnets."

Max, who writes at, isn't mincing words. ". . . (T)he gang of criminals behind the Storm Trojan has used special events to draw unsuspecting users to infected websites. The sites are set up specifically to use browser exploits to infect a visitor with a copy of the botnet program. The gang has used topics ranging from the Fourth of July, the NFL season and greeting cards as hooks to lure spam recipients to the malicious sites." He says Storm Worm has unleashed botnets that now control thousands of PCs.

And the biggest greeting card season of the year is only beginning.

Printer-friendly version Email this CRN article