Storm Hits Blogger

Careful whose blog you're reading these days: Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network.

This Storm infection is not simple comment spam, where spammers post their junk messages and malware as blog comments. "These are blogs that post spam," says Alex Eckelberry, CEO of Sunbelt Software, who has been studying the posts. He says he hasn't seen any legitimate blogs bites being hacked and sprinkled with Storm, but he's still researching the trend.

Eckelberry, who first discovered Storm executable files on several blogger sites this week, says Storm is showing up on blogs that use the mail-2-blogger feature, where bloggers can post via email. Google does have a CAPTCHA defense in place to prevent this kind of infection, requiring some bloggers to manually enter their code in order to post their blogs.

"But these guys are somehow flying under the radar," Eckelberry says. "I have no idea how they are doing this."

One site he found that's laden with Storm as well as spam junk is http://www.visionbuzz.blogspot.com/, for instance. And a Google search for Storm's infamous keywords, including "dude what if you wife finds this" and "man your insane," comes up with hundreds of blog sites, he says.

Storm is often referred to as a worm, but it's technically a Trojan. It relies on social engineering, with a tempting message and link, and it's all about expanding spam and the underlying botnet behind it, notes Joe Stewart, senior security researcher for SecureWorks. Although it's less dangerous than a traditional worm, it ranks in the top five most prolific threats, he says.

"You're not in danger of identity theft -- it's really not all that dangerous to the person who's been infected... It's really more dangerous to the Internet architecture as a whole," he says.

The Trojan gives Storm's bot army the ability to launch powerful distributed denial of services attacks, Stewart says. "But that's not its only purpose. It's also to make money, [such as from] stock spam."

"It's very disturbing to have Storm executables being linked onto sites we can control. But blog sites that Storm is operating off of are hard to control," Eckelberry says. "We've been working with Google in getting this shut down, and Google has been very helpful."

Why are the bad guys starting to plant Storm executables in blogs? "It's all about the numbers," says Randy Abrams, director of technical education for Eset, an anti-malware vendor. "The more places you can get the links out to, the more uneducated users you will trick into clicking on them and then infecting themselves. This, in turn, expands the botnet, which increases the profitability of [the exploit]."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.