Security vendors believe many home users to have been infected after a large-scale sustained Trojan attack that took place over the weekend.
The Trojan, named "Storm Worm" by antivirus vendor F-Secure, first started to spread on Friday as extreme storms engulfed Europe. The email claimed to include breaking news about the weather, in an attempt to get people to download an executable file.
Over the weekend there were six subsequent waves of the attack, with each email attempting to lure users into downloading an executable by promising a topical news story. There were emails which purported to carry news of an as-yet-unconfirmed missile test by the Chinese against one of its weather satellites, and emails reporting that Fidel Castro had died.
Each new wave of emails carried different versions of the Trojan, according to F-Secure. Each version also contained the capability to be updated, in an attempt to stay ahead of antivirus vendors.
"When they first came out, these files were pretty much undetectable by most antivirus programs," said Mikko Hypponen, director of antivirus research at F-Secure. "The bad guys are putting a lot of effort into it — they were putting out updates hour after hour."
As most businesses tend to strip executable files out of emails they receive, Hypponen said he expected that companies would not be overly affected by the attacks.
However, F-Secure said that hundreds of thousands of home-user computers could have been affected across the globe.
Once a user downloads the executable file, the code opens a backdoor in the machine which allows it to be remotely controlled, while installing a rootkit that hides the malicious program. The compromised machine becomes a zombie in a network called a botnet. Most botnets are currently controlled through a central server, which if found can be taken down to destroy the botnet. However, this particular Trojan seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralised control.
Each compromised machine connects to a list of a subset of the entire botnet — around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet — each only has a subset, making it difficult to gauge the true extent of the zombie network.
This is not the first botnet to use these techniques. However, Hypponen called this type of botnet "a worrying development".
Antivirus vendor Sophos called Storm Worm the "first big attack of 2007", with code being spammed out from hundreds of countries. Graham Cluley, senior technology consultant for Sophos, said the company expected more attacks over the coming days, and that the botnet would most likely be hired out for spamming, adware propagation, or be sold to extortionists to launch distributed denial-of-service attacks.
The recent trend has been towards highly targeted attacks on individual institutions. Mail services vendor MessageLabs said that this current malicious campaign was "very aggressive", and said that the gang responsible was probably a new entrant to the scene, hoping to make its mark.
None of the anti-malware companies interviewed said they knew who was responsible for the attacks, or where they had been launched from.
Talkback
Just thinking loudly, there should be a way to stop these virus signatures from floating over the Internet. I think, the world need to find a more effecient tool to stop the virus at the traffic level, i.e. Bad boys connect through ISPs as well as infected / spammed devices resend through ISPs and over Internet links, why not stopping the virus at the ISP or link level so it won't flow and gets killed while trying to spread "during the fact and not after the fact".
Yes the standard internet user needs to be more aware of what they open in there email client but sadly the technology used to deliver these viruses hasn't changed much in the past few years.
Aren't there some new ideas on how to put security steps in place to avoid wide spread email viruses having such a high infection rate?
Of the number of emails sent per day the % that contain spam or virsus, isn't his number going to reach a critical mass at some point in the future?
The problem is that people make decisions which have knock on effects. We'll fix x by doing y. That's fine except now the ISP has stopped y being used a small number of people who actually need to use it.
Case in point - a while back there was a MSSQL attack so dear old NTL decided the block the relevant port. The consequence was that I could no longer Admin sites from home using ODBC and the tools I had developed to the do the job.
NTL's reaction was it was for "the greater good" and you shouldn't be using your home account to do work anyway. Great!
What is lacking then is a solution that will automatically put in place steps to safeguard the average user. while give those that require a great level of access an opt-out(disable) option.
John, I agree that the "for the greater good" approach isn't ideal and could be considered somewhat archaic in todays "always-on" society. Rather that skipping around the problem, it need to be tackled head on, enabling everyone to enjoy their online experience.
Because that would stop bad security behavior right at the source.
Per example, stopping admin priv access over the Internet to well known attack ports. Like ODBC.
It seems that more and more admin priv individuals don't have the first clue about Security 101. Likely because of "functionality needs" or whatever else poor excuse offered for bad security measurements. Hence the need to stop ill advised security practices as soon as possible. Hence the need to establish that at the ISP level. As close to the source (of the problem) as possible. For sure, the established industry has demonstrated over and over again that they can't (or won't) handle it.
The idea should be: if you can't do it secure then simply don't do it. I know this is far from easy. As the "use a condom" campaign has shown (for example, it only helps you to protect you from a deadly decease), but still people do otherwise. As such I can understand why plenty of people still feel obstructed in their desires by basic IT security precaution measurements.
To overcome this problem only requires a bit more effort and a little education but nonetheless most people are too lazy, irresponsible enough or educated enough to even deal with it.
Perhaps the average IT education in general should focus more on basic IT fundamentals (like security) then on conceptual market guided leads (like, what's the most popular word processor currently).
Because too often, so far, the conceptual approach towards IT education has proven to be extremely ill advised on the most basic of IT fundamentals.
It's only whole generations we're talking about here. So I gather then that the most likely, wrong, response will be: if everyone else is doing it, why not us. Errr, because you actually make use of your brain? Or do you like repeating monkey trained behaviour?