Again this morning we posted another alert on a new Storm spam variant – that is the 10th alert we have posted, and the third in three weeks. The “Storm” is morphing faster than ever.
The Storm Worm is so named because it first appeared in January 2007 with “newsy” subject lines of storms battering Europe. In these original forms, the malicious code was attached to the email in the form of an executable file. Because it did not self-replicate, technically it was not a worm but a Trojan that was distributed using existing spam botnets. Soon after, further ‘Storms’ arrived with themes revolving around fake virus alerts and love postcards.
In July 2007, the Storm gang changed tactics. They moved away from attaching a malicious file, to merely providing a URL link in a fake greeting card. The links pointed to websites hosting malicious code that exploited browser vulnerabilities, and, just in case, also provided a handy link should you choose to download and run the Trojan manually.
Since the long run of fake greeting cards in July, we have seen several variations, all of them using neat social engineering to entrap unsuspecting users. Themes have included 4th July celebrations, ‘hot pictures’, ‘membership confirmation’ and now YouTube videos.
Over the last few weeks the Storm Trojan spam has accounted for anything between 1-7% of all spam received. On top of that, the Storm is linked with spam-sending botnets. At our TRACE spam honeypots, we observe that several of the leading types of spam have all the hallmarks of Storm. We estimate that up to 20%, perhaps more, of the total spam we see originates from the Storm botnets.
Back in July, we commented on the increase in malware activity and predicted that spam was likely to increase as a result. Unfortunately, this has been proved true. Our measure of spam volume, the Marshal Spam Volume Index, has recently reached another all time high. In particular, there has been a strong increase in spam since early July when the Storm greeting card spam arrived in force. The Storm gang is prolific - certainly it is one of the major players in the spamming world.
