'Storm' Spam Surges, Infections Climb

The "Storm worm" that blasted across the Internet late last week spread Monday as security companies repeated their warnings and raised alert levels to new highs.

Actually a Trojan downloader, the payload has been given a variety of names by antivirus vendors, including Peacomm (Symantec) and Troj/Dorf-Fam (Sophos). It arrives in widely spammed messages with several possible subject heads and as a number of differently named executable files.

Its nickname comes from one of the original spam subject heads: "230 dead as storm batters Europe."

After an initial spam blast early Friday that produced infections worldwide, the Trojan's impact fell sharply. Later spam runs, however, dumped more infected messages into in-boxes and duped an increasing number of users to launch the files and thus compromise their computers.

"This looks like a worm because of the volume of e-mail, even though it's a Trojan," says Dave Cole, the director of Symantec's security response team. "We're on spam run No. 4 now, with millions of messages having been sent so far."The large volume of infected messages spammed so far prompted Cole's company to up the threat rating to a "3" in its 1 through 5 scoring system. The last time Symantec classified a piece of malware as a "3" was in late 2005, says Cole.

"But we've also seen a number of changes [to it]," says Cole as he justified the more dire rating. The attacker "is changing the enticements, changing some of the evasion techniques, too, including encryption."

On the enticement front, the weekend's runs have been loaded onto e-mail messages with a wider variety of subject heads, including such fanciful lines as "Chinese missile shot down USA satellite," "Sadam Hussein alive!," and "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel."

"He's in a cat-and-mouse game. He's watching what we and other antivirus [companies] are doing and making adjustments," says Cole. The attacker's tactics include encrypting the peer-to-peer communication channel he's using to control the compromised PCs and rapidly modifying the packaging of the Trojan to evade detection and deletion.

As of Monday, the Trojan accounted for 8% of all infections globally. "That's not huge, but it's not small, either," says Cole.Other security companies, including Finland's F-Secure, reported Monday that they were seeing rootkit cloaking techniques in some variants. Rootkits can hide malware's files and actions from security software. Sophos, meanwhile, said that it had detected the Trojan-laden spam originating from computers in more than 80 countries.

"It's not terribly sophisticated technically," says Cole, "but it's increasingly bigger."

Security vendors have recommended that users update their antivirus signatures and, if they're using anti-spam software, that defense as well.