Security Watch | Matt Hines » Storm worm will continue to turn

August 17, 2007 | Comments: (0)

Storm worm will continue to turn

TAGS: Security

If you haven't noticed, your spam folder -- if not your inbox -- has probably been packed with attacks disguised as eCards over the last several weeks.

Many security researchers have been warning of the new attack surge, and highlighted the fact that it is being both propagated by the well-known Storm Worm and used to install the very botnet software that serves as the P2P viruses' foundation.

While the eCard disguise is hardly a new approach for hackers some researchers feel that the approach is likely reeling in a fair number of victims based on the sheer number of messages that are being generated and the fact that the platforms is such a tailor-made vehicle for such a use -- in that eCards are designed to look like the come from someone you know, yet are delivered by an unfamiliar, seemingly innocuous, third party source.

In addition to its strong likelihood for confusing some less savvy end users, the new wave of Storm activity is likely being carried out by the same gang that created the original version of the worm, said Randy Abrams, director of technical education at security software vendor Eset.

The social engineering technique is a hallmark of the work carried out by the Storm Worm Gang, which is believed to operate out of Russia, he said.

"These guys are very active in doing their own social engineering, so it's very probable that a lot of the recent eCard, pump-and-dump and pharmaceutical attacks that are showing up are coming from the original group," Abrams said. "Most of the spam that's being used to deliver this stuff is the result of zombie PCs infected by Storm, and most of the new eCards are designed to infect computers to make even more zombies."

Some of the pump-and-dump activity may have been the result of efforts by the botnet owners to rent out their network to others, but the original group is the one that appears to be continuing to reap the profits of Storm, the researcher said.

Putting a stop to the threat isn't going to be an easy process for anyone, but in order to quell the attack large ISPs need to get more involved in the hunt, Abrams contends.

"Eventually maybe this group will move on to a different worm, maybe they will be forced to change tactics as technology evolves to slow it down, but right now with the size of this botnet and its P2P delivery model there's not a head to cut off," he said. "Eventually the ISPs will need to do some serious filtering, but part of the problem is that in some countries [notably France] they're not even allowed to do that; some of these countries need to review their privacy laws."

Unsurprisingly (given his title) Abrams believes that the only way to help stop the spread of such attacks is to begin doing a better job of educating younger people about social engineering techniques, perhaps even going so far as to do so when they are elementary school aged children, the expert contends.

"With the advent of computers and massive anonymous communications the social engineering threat is always going to be more prevalent, and we really need to make people aware of this as early on as we can," he said.

Posted by Matt Hines on August 17, 2007 01:56 PM

RATE THIS ARTICLE: