Storm Hits BloggerStorm Hits Blogger
The ubiquitous Storm Trojan has found a new home - on spam blog sites in Google's Blogger network
August 30, 2007
Careful whose blog you're reading these days: Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network.
This Storm infection is not simple comment spam, where spammers post their junk messages and malware as blog comments. "These are blogs that post spam," says Alex Eckelberry, CEO of Sunbelt Software, who has been studying the posts. He says he hasn't seen any legitimate blogs bites being hacked and sprinkled with Storm, but he's still researching the trend.
Eckelberry, who first discovered Storm executable files on several blogger sites this week, says Storm is showing up on blogs that use the mail-2-blogger feature, where bloggers can post via email. Google does have a CAPTCHA defense in place to prevent this kind of infection, requiring some bloggers to manually enter their code in order to post their blogs.
"But these guys are somehow flying under the radar," Eckelberry says. "I have no idea how they are doing this."
One site he found that's laden with Storm as well as spam junk is http://www.visionbuzz.blogspot.com/, for instance. And a Google search for Storm's infamous keywords, including "dude what if you wife finds this" and "man your insane," comes up with hundreds of blog sites, he says.
Storm is often referred to as a worm, but it's technically a Trojan. It relies on social engineering, with a tempting message and link, and it's all about expanding spam and the underlying botnet behind it, notes Joe Stewart, senior security researcher for SecureWorks. Although it's less dangerous than a traditional worm, it ranks in the top five most prolific threats, he says.
"You're not in danger of identity theft -- it's really not all that dangerous to the person who's been infected... It's really more dangerous to the Internet architecture as a whole," he says.
The Trojan gives Storm's bot army the ability to launch powerful distributed denial of services attacks, Stewart says. "But that's not its only purpose. It's also to make money, [such as from] stock spam."
"It's very disturbing to have Storm executables being linked onto sites we can control. But blog sites that Storm is operating off of are hard to control," Eckelberry says. "We've been working with Google in getting this shut down, and Google has been very helpful."
Why are the bad guys starting to plant Storm executables in blogs? "It's all about the numbers," says Randy Abrams, director of technical education for Eset, an anti-malware vendor. "The more places you can get the links out to, the more uneducated users you will trick into clicking on them and then infecting themselves. This, in turn, expands the botnet, which increases the profitability of [the exploit]."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
Business Buyers Guide to Password Managers