iSECURE:
We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.
THNX FS @ Ryan :
A new round of storm worm attacks are playing on people's paranoia against being watched online.
This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake.
Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL.
Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet.
THNX FS @ ryan:
Stormbot Hits Blogger:
Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network, according to an article in Dark Reading. And this isn't simple comment spam, but actual blogs that post spam, and now, Storm executable files. A researcher who's been tracking the Storm-infested blog sites says he's working with Google to clean up this latest appearance of Storm."
Careful whose blog you're reading these days: Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network.
This Storm infection is not simple comment spam, where spammers post their junk messages and malware as blog comments. "These are blogs that post spam," says Alex Eckelberry, CEO of Sunbelt Software, who has been studying the posts. He says he hasn't seen any legitimate blogs bites being hacked and sprinkled with Storm, but he's still researching the trend.
Eckelberry, who first discovered Storm executable files on several blogger sites this week, says Storm is showing up on blogs that use the mail-2-blogger feature, where bloggers can post via email. Google does have a CAPTCHA defense in place to prevent this kind of infection, requiring some bloggers to manually enter their code in order to post their blogs.
"But these guys are somehow flying under the radar," Eckelberry says. "I have no idea how they are doing this."
One site he found that's laden with Storm as well as spam junk is http://www.visionbuzz.blogspot.com/, for instance. And a Google search for Storm's infamous keywords, including "dude what if you wife finds this" and "man your insane," comes up with hundreds of blog sites, he says.
Storm is often referred to as a worm, but it's technically a Trojan. It relies on social engineering, with a tempting message and link, and it's all about expanding spam and the underlying botnet behind it, notes Joe Stewart, senior security researcher for SecureWorks. Although it's less dangerous than a traditional worm, it ranks in the top five most prolific threats, he says.
"You're not in danger of identity theft -- it's really not all that dangerous to the person who's been infected... It's really more dangerous to the Internet architecture as a whole," he says.
The Trojan gives Storm's bot army the ability to launch powerful distributed denial of services attacks, Stewart says. "But that's not its only purpose. It's also to make money, [such as from] stock spam."
"It's very disturbing to have Storm executables being linked onto sites we can control. But blog sites that Storm is operating off of are hard to control," Eckelberry says. "We've been working with Google in getting this shut down, and Google has been very helpful."
Why are the bad guys starting to plant Storm executables in blogs? "It's all about the numbers," says Randy Abrams, director of technical education for Eset, an anti-malware vendor. "The more places you can get the links out to, the more uneducated users you will trick into clicking on them and then infecting themselves. This, in turn, expands the botnet, which increases the profitability of [the exploit]."
Zodra ik meer info vind plaats ik het hier :)
This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake.
Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL.
Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet.
THNX FS @ ryan:
Stormbot Hits Blogger:
Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network, according to an article in Dark Reading. And this isn't simple comment spam, but actual blogs that post spam, and now, Storm executable files. A researcher who's been tracking the Storm-infested blog sites says he's working with Google to clean up this latest appearance of Storm."
Careful whose blog you're reading these days: Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network.
This Storm infection is not simple comment spam, where spammers post their junk messages and malware as blog comments. "These are blogs that post spam," says Alex Eckelberry, CEO of Sunbelt Software, who has been studying the posts. He says he hasn't seen any legitimate blogs bites being hacked and sprinkled with Storm, but he's still researching the trend.
Eckelberry, who first discovered Storm executable files on several blogger sites this week, says Storm is showing up on blogs that use the mail-2-blogger feature, where bloggers can post via email. Google does have a CAPTCHA defense in place to prevent this kind of infection, requiring some bloggers to manually enter their code in order to post their blogs.
"But these guys are somehow flying under the radar," Eckelberry says. "I have no idea how they are doing this."
One site he found that's laden with Storm as well as spam junk is http://www.visionbuzz.blogspot.com/, for instance. And a Google search for Storm's infamous keywords, including "dude what if you wife finds this" and "man your insane," comes up with hundreds of blog sites, he says.
Storm is often referred to as a worm, but it's technically a Trojan. It relies on social engineering, with a tempting message and link, and it's all about expanding spam and the underlying botnet behind it, notes Joe Stewart, senior security researcher for SecureWorks. Although it's less dangerous than a traditional worm, it ranks in the top five most prolific threats, he says.
"You're not in danger of identity theft -- it's really not all that dangerous to the person who's been infected... It's really more dangerous to the Internet architecture as a whole," he says.
The Trojan gives Storm's bot army the ability to launch powerful distributed denial of services attacks, Stewart says. "But that's not its only purpose. It's also to make money, [such as from] stock spam."
"It's very disturbing to have Storm executables being linked onto sites we can control. But blog sites that Storm is operating off of are hard to control," Eckelberry says. "We've been working with Google in getting this shut down, and Google has been very helpful."
Why are the bad guys starting to plant Storm executables in blogs? "It's all about the numbers," says Randy Abrams, director of technical education for Eset, an anti-malware vendor. "The more places you can get the links out to, the more uneducated users you will trick into clicking on them and then infecting themselves. This, in turn, expands the botnet, which increases the profitability of [the exploit]."
Zodra ik meer info vind plaats ik het hier :)
Geen opmerkingen:
Een reactie posten