The 8-month old Storm Trojan horse may soon come full circle
and take up touting Hurricane Dean, the Category 5 storm that slammed into
Mexico yesterday, security researchers said.
Storm, also known as Peacomm, started life in January as
malware attached to messages that shilled fake news accounts of a massive
series of wind storms that struck Europe. One of the first Storm-bearing
messages dangled the subject head "230 dead as storm batters Europe"
to tempt users into launching the file. Recipients who clicked on the attached
executable were infected by the Trojan horse, which turned their systems into
spam-spewing zombies.
Symantec Corp. researchers are betting that
the malware's makers will try the same trick with Dean.
"We expect it to again come on the back of big news
items," said Alfred Huger, vice president of engineering at Symantec's
security response group.
Huger's prediction is based on analysis done by Hon Lau, a senior security response manager
at Symantec. Hon's take, spelled out in a posting to Symantec's blog yesterday,
is that Storm's creators are, if nothing else, very adept at crafting socially
engineered messages persuasive enough or tempting enough to get people to
launch files or click on links.
"In particular, they have a knack for latching on to
the latest newsworthy events and capitalizing on the public interest in
them," Hon said. "And if no newsworthy events are happening at the
time, then they will just make them up."
Although Storm, which Symantec calls Peacomm, is currently
being spread by a different campaign inviting users to join various
"clubs," ranging from cell phone ring-tone and photo groups to
wine-tasting and cooking clubs, Hon expects to see Dean-related messaging soon.
"As Dean lash[es] the areas around the Gulf of Mexico, don't be surprised
to get e-mails about damage or death caused in its wake," he said.
"[Storm's makers] tend to try to take advantage of the
newest news," agreed Huger, who also explained the likely motive. "I
expect that they have a better take-up rate when they use news." But other
than their social engineering skills, Storm's creators haven't impressed him
much, even though others have fingered the malware as the basis for building
large botnets that have unleashed record levels of spam, especially
pump-and-dump, stock-scam junk mail. "It's about average," Huger
said. "A little more sophisticated maybe, but it doesn't really stand
out."
The reason why Storm has attracted as much interest as it
has -- it's the most written-about piece of malware so far in 2007 -- is
simple, said Huger. Security researchers sometimes fixate on one worm or Trojan
horse or virus, perhaps because it's initially interesting. For whatever
reason, some of those researchers "dive right to the very bottom" of
the code, Huger added, a chore that's impossible to duplicate for every one of
the hundreds of new worms and Trojan horses released each month.
Where one researcher treads, others may soon follow. And
when lots of them pile on, said Huger, "all that research leads us to
believe that this is unique or different, when in fact it's not."