By Gregg Keizer
April 16, 2007
The group behind last week's massive Storm Trojan spam blast set up
Windows users with a one-two punch by switching tactics in midrun,
making the second stage's subject headings more believable, researchers
"There was a very distinct transition point" between the two stages,
said Adam Swidler, senior manager of solutions marketing at Postini Inc.
"It was a concerted effort to trick users."
The huge wave of worm-infected spam e-mails sent out starting early
Thursday had receded by about 2 a.m. Pacific Time Friday. "It petered
out around then, and spam went back to its average daily and hourly
rates," said Swidler. "We're still crunching the numbers, but it looks
like three times that of the largest in the last 12 months, around 60
million [messages] total."
Although most of the attention was paid to the attack's second phase --
when spammed messages arrived with subject headings such as "Worm
Alert!" and "Virus Activity Detected!" -- the assault began with less
alarming mail marked "Our Love Nest," "A Token of My Love" and other
The switch, speculated Swidler, was by design. "The first part was more
love-related and created the illusion of a worm attack going on," he
said. "They were able to control the mutation and do the switch so that
there was a clear point where there were almost none of the 'love'
messages. That played to the second phase."
In fact, love-labeled spam carrying variants of the Storm Trojan --
which first appeared in January and got its nickname from subject heads
touting news of damaging winter storms in Europe -- was spotted by some
security vendors last Wednesday. Trend Micro Inc.'s malware blog noted a
round of love-related spam hitting Japanese in-boxes a day before the
attack's second stage started.
Last week, Swidler called the two-part attack a "self-fulfilling
prophecy" because of the attacker's skill at setting up recipients for
the second stage, which played off fears of an actual infection to dupe
users into running the attached executable file.
When the malware executes, it installs a rootkit to cloak itself,
disables security software, steals confidential information from the PC
and adds the infected machine to a botnet of compromised computers.
Storm Trojan can also self-propagate by rooting out e-mail addresses
from the PC and sending copies of itself to those people.
However, the newly-infected PCs are staying quiet -- for the moment,
said Swidler. "They haven't immediately launched an attack off these new
bots," he said. "It looks like they're building out their inventory [of
bots]." That, though, bodes ill for the future. "It's reasonable to
assume that with these new bots, spam [volume] will only continue to
climb," said Swidler.
Subscribe to InfoSec News