RealTime IT News

Storm Trojan Takes Social Measures

UPDATED: Web mail and message forums are the newest vehicle for the quickly spreading Storm Trojan, security researchers say. The latest attack injects a link to a malware site whenever infected users write online.

According to Symantec , Gmail, Yahoo Mail, Hotmail and AOL are among a number of vulnerable Web-based e-mail products. Message forums based on vBulletin and phpBB software are also at risk, said a spokeswoman.

Users are first infected by clicking on an e-mailed link, which downloads a malware rootkit able to watch network traffic, according to Dmitri Alperovitch, Secure Computing's principal researcher. The worm then inserts "Have you seen this link?" in messages posted on a variety of Web mail and online forums.

The link then infects more PCs, multiplying the malware's spread, the researcher told internetnews.com.

Both Microsoft and Yahoo are aware of the worm, spokespeople told internetnews.com. Microsoft said infected users can use Windows Live OneCare safety scanner to remove the worm.

Yahoo said it uses "multiple approaches, including enhanced technologies, to protect our users" when receiving mail. Google and AOL were not immediately available for comment.

"When it notices you posting to a bulletin board, it modifies your posting to include the spam text," Eric Chien, principal software engineer at Symantec, wrote in a blog.

The solution for companies is easy: Block employees from selecting the link, Gartner research analyst John Pescatore told internetnews.com.

The Trojan still infects outgoing instant messages for Gtalk, Yahoo Messenger, AIM and ICQ, according to Symantec.

It's worth pointing out that Storm is aimed right at the antivirus companies -- huge number of variants, constantly changing payloads and a low-and-slow approach to distribution, Yankee Group analyst Andrew Jaquith told internetnews.com.

"Yankee Group pronounced that 'Anti-Virus is Dead' in January, and this particular family of malware proves our point -- in spades."