[ insider_reports_insider ]
Storm Trojans Raining On Internet
David Utter
Staff Writer
2007-01-24
 Insider Reports RSS Feed
An outbreak of Trojans has been escalating since December, with security companies observing a lot of activity surrounding them.
 | | Storm Trojans Raining On Internet |  |
The Storm Trojans hitting computers around the world bring mass mailing capabilities to the systems they hit. People behind these Storm Trojans want to create a botnet of spam engines, through which they can send their scams to millions of inboxes.
Several security companies have observed and commented on the behavior of the Storm attack. Symantec noted how the malware sends out image spam containing ads for penny stocks.
A second worm, the "Happy New Year" pest called Mixor, has been dropping the Trojan onto systems. Once in place, the Trojan can start downloading spam-generating components like engines, mail harvesters, and updaters so the malware creators can change what the Trojan distributes.
McAfee's Allysa Myers blogged how the mass seeding of dozens of new variants has been happening daily. She observed that the Trojans involved in this outbreak have been working together:
Another thing that's particularly notable, from a technical perspective, is that this collection of trojans is coordinating itself by way of a peer to peer network.
This is something we've been seeing malware authors playing with more and more lately, with this one arguably being the most successful. W32/Nugache and the "Phatbot" variant of W32/Gaobot both attempted coordinating by P2P through Gnutella cache servers, but they were very limited in the number of bots that could be in a given botnet.
Malware authors seem to understand that having any single point of failure means that at some point, they will in fact fail and have to rebuild their botnet. By having a "headless" botnet, they can self-heal more effectively.
The Trojans arrive by email in messages containing inflammatory subject lines to entice people to open them. When the "Happy New Year" worm was going out during the holidays, those subject lines reflected the time of year.
Now they pop into inboxes with subjects like "Fidel Castro dead" as the malware makers update their distributions.
System administrators who find activity on UDP ports 4000 or 7871 likely have one of these infestations on their Windows machines. Updated antivirus software from one's vendor of choice should remove these Storm Trojans from those systems.
---
Tag: Storm Trojans
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the updates - 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
