Even malware decides to go tabloid

23 Jan 2007

An escalation in spam has been forecast by Commtouch in the wake of emails containing the Storm worm, so named because the emails made use of media coverage of the recent European storm in the subject line.

The recent spate of malware-containing emails used tabloid-style headlines in the subject lines such as “230 dead as storm batters Europe”, “First nuclear act of terrorism!” and “hugo chavez dead” to lure users into opening the emails and downloading attached files with names like “full clip.exe” and “read more.exe”.

This type of technique being deployed by malware writers is known as social engineering.

“We expect an escalation in spam post-Storm,” predicted Commtouch chief technology officer Amir Lev. “The malware is distributed to set up a network of infected zombie computers, which can then be used to launch massive spam campaigns.”

The Storm worm contains a staggering number of distinct, low-volume variants which were released from multiple sources simultaneously and successively, and at short time intervals, Commtouch said. The outbreak follows the trend developed in 2006 with malwares such as Stration/Warezov, Feebs, Scanio, Tibs/Nuwar and others.

“In addition to using subject lines based on current events, this server-side polymorphic worm consists of thousands of distinct variants, ranging from just a few instances [copies of the same code in recurrent messages] to very high volumes of instances per variant,” said Haggai Carmon, Commtouch vice-president of products. “By distributing so many variants simultaneously, the malware distributors overwhelm signature-based antivirus engines, effectively guaranteeing that they will not block them.”

Commtouch said it identified and blocked over 5,000 distinct variants during the first four days of the Storm worm activity, and there were time periods during those days when the malware accounted for nearly 17pc of all global internet email traffic.

“Malware writers know they have limited time before an antivirus signature or heuristic will be created to block any mass-distributed malware so they break the outbreak into thousands of variants and distribute in smaller numbers of instances to maximise infection,” Carmon explained. “Once antivirus engines battled to get a signature out within the first few hours of the outbreak; now the hard truth is that even these signatures are now becoming ineffective to protect against the first wave of each new variant. In the time it takes to write and distribute each new signature, thousands of newer variants are launched against which the signature does not protect.”

By Niall Byrne