Storm Worm Attacks Take On New DisguisesStorm Worm Attacks Take On New Disguises

In an attempt to trick savvy users and evade anti-malware vendors, the Storm worm is mutating its attacks, trying to lure more victims into its massive botnet.

Researchers from various security companies have begun warning users that the Storm worm has been morphing quickly in the past several days. In recent months, the malware authors have mainly been focusing on infecting machines by sending out phony and malicious e-cards. Possibly concerned that the security community and users are catching on to that old game, they've changed tactics.

Dmitry Gryaznov, a researcher with McAfee's Avert Labs, reported in a blog entry over the weekend that the malware authors were putting aside some of their e-card schemes for the old trick of luring people to open an e-mail by promising them nude or pornographic pictures. Gryaznov pointed out that the e-mails tend to have blank subject lines.

Then the authors quickly changed tactics again -- this time sending out e-mails that either invite the user to join various clubs or talk about services, like online dating sites, that the user supposedly signed up for.

Johannes Ullrich, CTO of the Internet Storm Center, has been posting rolling advisories on the site's diary, warning users about the changing attacks. He noted the phony e-mails inviting people to join a club can look legitimate since they contain fake account numbers and temporary passwords and login IDs. "I have seen about a dozen different ones so far," wrote Ullrich. "They are all 'confirmations' in this style to various Web sites. The Web page offers again an 'applet.exe' for download."

And researchers at F-Secure reported that they have seen fake confirmation e-mails purporting to be from Internet dating services or MP3 download sites. They've seen subject lines that include phrases like Member Details, Membership Support, New Member Confirmation, and Poker World.

The Storm worm was first spotted this past January and has taken on many different attacks since then -- phony e-cards, e-mails about fraudulent patch information, e-mails about fake news items, and even a few Web sites with the malicious code embedded in them.

In the past several weeks, researchers from both Postini and SecureWorks have reported that the Storm worm authors are amassing a massive botnet, not only capable of sending out great amounts of spam but also capable of launching large-scale denial-of-service attacks.

And last week, Ren-Isac, a collaboration of higher-education security researchers, issued a warning to colleges and universities that the massive botnet is attacking computers that are trying to weed it out. The botnet is set up to launch a distributed denial-of-service attack against any computer that is scanning a network for vulnerabilities or malware.

With students returning to campus in the next few weeks, schools are expected to scan the servers on their network to find vulnerabilities and malware that the students are bringing back with them. When the scanner hits an infected computer that is part of the Storm botnet, the rest of the botnet directs a distributed denial-of-service attack back against the computer running the scan. The attacks can last more than a day, and can involve "very significant" traffic.