Anti-virus vendors missed the fact that the most massive worm attack in months has a secondary payload that has sent millions of pharmaceutical spam messages, a security intelligence company revealed Tuesday.
The Stration worm, aka Warezov, has been topic number one for anti-virus firms for almost three months, but until recently they hadn't figured out that the malware kicks into second gear about six hours after it's installed. Then, said Reston, Va.-based VeriSign iDefense, it begins sending massive amounts of spam touting Viagra, Xanax, and Propecia prescription medicines.
"Lots of AV vendors have been saying that Stration doesn't have a payload," said Mike La Pilla, an iDefense analyst. "But it does. It just takes six hours. Then it contacts a different domain, downloads a spamming Trojan, and starts sending mail."
If a user launches the file attached to the original e-mail, a small Trojan downloader executes, searches out the domain of a remote server, and downloads the Stration/Warezov worm. Stration, in turn, then replicates by grabbing e-mail addresses off the compromised system. Only later does it seek out a second domain for the spam bot.
Stration's been pegged by many analysts as the malware behind a recent explosion in spam rates, and in the number of bots detected on the Internet. IDefense's analysis, La Pilla said, backs that up.