Wednesday, August 29, 2007

The Storm Worm Hits Blogger

The Storm Worm is a popular name used for a family of malware, properly classified as a Trojan, which has been plaguing the Internet for several months. It started with the widely circulated spam, about the Storms in Europe, which hit everybody's Inboxes earlier this year.

The spam email started out distributing the worm in attachments to the email, and later changed to delivering it from web sites linked in the spam. Symantec: New Storm Front Moving In tells us that the typical email would contain a link to a "secure" web site, and the linked web site would contain the instruction
If you do not see the Secure Login Window, please install our Secure Login Applet.


Now, it is being distributed through Blogger, from blogs marketed to those surfing the Blogosphere through the "Next Blog" link.

It can be seen in a Blog*Spot splog farm, with blogs using intriguing titles like "Dying To Live", "Katrina Thanks", and "Rocking Consumption", and posts with titles like "this video rocks" and "not yet seen on MTV". The blog posts then link to a web site which will instruct you to download and execute "video.exe".

Alex Eckelberry of Sunbelt Software says
This worm is vicious and nasty, and the spams are quite ubiquitous.
and offers a blog post illustrating a typical Blog*Spot infection. Symantec Software describes the email problem as
one of the largest identified surges in the last several months.

This YouTube video by F-Secure is kind of dry, but it should give you an idea what a problem this attack is becoming.
»http://www.youtube.com/v/fm9ikZs5o38

>> (Note): If you go "Next Blog" surfing, watch out for posts like what's illustrated in SunbeltBlog: Storm worm hits Blogger. Any blog, that you encounter through "Next Blog", suggesting a new video that requires you to download and execute any installation program, should be immediately suspect. Ditto any similar email.

We are currently trying to determine the exact nature of the blog posts offering the worm, and whether they are
  1. New blogs, created specifically for the purpose of distributing the worm, by the bad guys,
  2. Existing blogs, hijacked by the bad guys, stolen from the legit owner,
  3. Existing blogs, with posts added by the worm, from a hacked computer used by the legit blog owner.
The reality here affects how safe you are, from blogs published by your friends, and from blogs published by strangers. And it affects how safe your blogs are, should you surf "Next Blog".

Also worth asking is the question
Is the worm spreading through Blogger, or Blog*Spot? Remember, Blogger is not the same as Blog*Spot.


As Avert Labs advises
McAfee Avert Labs expects the spammers to continue using these types of tactics and it will be imperative that users are educated on how to avoid becoming a victim.
So become educated, as that is the best way to protect yourself.

>> Forum thread links: bX-*00065

>> Copy this tag: bX-*00065

>> Top

2 comments:

Wholesome Blogger said...

can you make this more clear for newbies to internet and its jargon. I'm just now learning html. this sounds frightful.

Chuck said...

I will see what else I can write, to expand upon this. For your own sake, though, and not just to deal with this post, I advise you to learn to speak the language here. Please.

And it is indeed frightful. Over 1/3 of all blogs are crap like what I'm describing. Go "Next Blog" surfing, and see. But go only if you have a strong stomach, and are not easily upset.