Network World
Tuesday, February 9, 2010
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools
NetworkWorld.com > Security >

'Storm' Trojan horse taps into YouTube fever

By Gregg Keizer, Computerworld, 08/27/07

Hackers bent on spreading the Storm Trojan horse have changed tactics again and are now trying to dupe users into clicking on links posing as YouTube videos, security vendors warn.

Other stories on this topic
Australian airports to deploy body scanning technology 2/9/2010
Google teaming up with the NSA: should you be worried? 2/6/2010
EPIC files FOIA request over reported Google, NSA partnership 2/4/2010
Powered by Inform

Why a social networking strategy is needed
02/09/10
When I'm not being a journalist and leaping wide clauses in a single bound or moving faster than a speeding cursor, I adopt my alternate persona: Mark Gibbs, mild-mannered consultant. Well, perhaps not so mild-mannered.

Victoria to tip in $3M to spy on bushfires
02/09/10
Victoria’s troubled bushfire alert system may be bolstered with a fleet of fire-detection cameras after a $3 million government trial announced today is completed.

The 12 most popular newsletters of all time
02/09/10
This week will be the final week of the Network Architecture newsletter as penned by me. Before we say goodbye in Thursday's issue, I'd like to take a fond look back at the biggest hits.

Storm, a.k.a. Peacomm and Nuwar, is now spreading via e-mail that includes a link that appears to be to a YouTube video, said Johannes Ullrich, chief research officer at the SANS Institute, on the Internet Storm Center's blog this weekend. "The link looks like a link to YouTube, but actually points to a 'numeric' URL like old Storm variants," said Ullrich.

Enterprise 2.0 Applications - Block or Not?: Download now

Placing the mouse cursor atop the bogus YouTube link will show a numeric IP address rather than the expected www.youtube.com, a good indicator of a scam attempt.

Recipients who click on the link see a message that claims the video is loading in the background, said Vinoo Thomas, a researcher at McAfee Inc.'s Avert Labs. Actually, said Thomas, "an embedded obfuscated JavaScript routine attempts a cocktail of browser and application exploits." If any of those exploits are successful, Storm gets dropped on the PC.

Over the weekend, Roger Thompson, a researcher at Exploit Prevention Labs Inc., identified the multistrike exploit package as "Q406 Rollup," a collection that has made the rounds since late last year. Similar to other hacker kits such as Mpack, Q406 includes a dozen or more exploits.

Storm's markers have become well-known for their skill at adapting their pitches to get users to open attached files or click on e-mailed links. Last week, a Symantec Corp. researcher said the group was "very adept" at creating persuasive messages. "They have a knack for latching on to the latest newsworthy events and capitalizing on the public interest in them," said Hon Lu. "And if no newsworthy events are happening at the time, then they will just make them up."

The Storm Trojan horse reportedly behind the summer's plague of malicious greeting card spam, and the machines it has infected -- by some accounts a massive botnet -- served as the launching pad for a huge wave of pump-and-dump stock scam spam earlier this month.


For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

React: Give us your thoughts on the issues here.
Start a public discussion with other Network World users on this article (scroll up to send this article to a colleague).
Log In | Register for an account (Why you should)

Note: Register to have your user name appear; otherwise your comment will show up as "Anonymous."

*Anonymous comments will only appear once they are approved by the moderator.

Copyright 2008 Network World Inc.