New Storm Worm Outbreak Blasting The InternetNew Storm Worm Outbreak Blasting The Internet

The virulent Storm worm that blasted its way across the Internet in January has reared its ugly head again.

A variant of the Storm worm hit hard in a widespread spam campaign on Thursday. The Internet Storm Center reported detecting at least 20,000 infections today. Patrick Martin, a senior product manager with the Security Response Team at Symantec, said they received several hundred reports of the malicious e-mail making the rounds.

"This is potentially a huge problem," said Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center. "It's basically impossible to shut this thing down.... And once a user is infected, it's very hard to get rid of it. They would probably have to reinstall their system."

The outbreak starts with a wide-ranging spam attack that is littering e-mail inboxes around the globe. The e-mail has subject lines like "Worm Alert," "Virus Alert," "Worm Activity Detected!" and "Dream of You." Some of the subject lines even use the word "love" or promise a patch for "new bug." Martin said the spam generator is changing the subject lines on a regular basis to throw off users and antivirus vendors.

Inside the e-mail is an image and an encrypted zip file. The image has the password needed to open the zip file.

Unlike the original Storm malware, which was hidden in an executable file, this one is hidden in the encrypted zip file. Ullrich explained in an interview that means it's much more difficult for antivirus software to detect the malicious code. If they can't detect it, they can't stop it.

If a user opens the file, his machine is infected with the malware and it then connects to a peer-to-peer network where it can upload data, including personal information from the infected computer, according to researchers at Postini, who noted that the new Storm variant drove Thursday's virus level to 60 times the average. It also can download additional malware onto the infected system.

The infected computer then becomes a zombie machine on a botnet, which can be used to send spam and launch other attacks. The malware also searches the computer's hard drive for e-mail addresses and replicates itself by sending e-mails to them.

The fact that infected computers connect through a peer-to-peer system and not to a standalone server or even a node makes it extremely hard to shut down, according to Ullrich.

"We traditionally can shut down the IRC server or whatever controls it," he explained. "But with this, there is no single server or node to shut down. To deal with this, you'd have to shut down those 20,000 infected hosts. We would have to walk up to every single one of them and pull the plug."

Ullrich added that it's frustrating that this type of attack, which depends on users opening an attachment from an unknown sender, still works ... and works so well. "It's user stupidity, and that's the thing there is no patch for."