55K New Malicious Sites Blocked Last Month

MessageLabs: Latest StormWorm developments through worldwide botnet of 1.8M computers

NEW YORK and LONDON -- MessageLabs, the leading provider of messaging security and management services to businesses, today announced the results of its August MessageLabs Intelligence Report. The new data reveals the latest StormWorm developments involving virtual postcards and YouTube video requests to distribute the Trojan code, and the increase in new malicious website appearing every day.

In recent weeks MessageLabs has observed a large increase in emails containing links to virtual postcards and YouTube video invites, including a significant outburst on August 15th which comprised of 600,000 emails distributed in 24 hours. This is the latest developments from the StormWorm botnet, now estimated to comprise of 1.8 million computers worldwide.

Although the body text and subject line keep changing, the emails always consist of simple text or HTML including a single link to an IP address. That IP address refers to another infected machine within the botnet which subsequently redirects to a back-end server in an attempt to infect the victim with a copy of the StormWorm Trojan code. The back-end server automatically re-encodes the malware every thirty minutes to make signaturing difficult for traditional anti-virus vendors.

Similar to the techniques adopted by other botnets like Warevoz, the location of the command and control servers used to manipulate the botnet are safeguarded behind a rapidly changing DNS technique known as ‘fast-flux’, a similar method to the bullet-proof hosting schemes than spammers have often used in the past, making it difficult to locate and take down hosting sites and mail servers.

“The StormWorm trojan continues to be an the forefront of the threat landscape through its tactic of reinventing itself in different disguises” said Mark Sunner, Chief Security Analyst.

With such a commanding botnet now in force and no signs of it waning, vigilance needs to be increased and enforced on all unknown and also known web links and attachments.”

MessageLabs Ltd.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Andrada Fiscutean, Contributing Writer, Dark Reading