“Storm Worm” is the name that seems to have stuck for a massive malware attack that spread Thursday and Friday by teasing e-mail recipients to open infected messages supposedly about European wind storms.
The attackers use of the subject line “230 dead as storm batters Europe” was an effective way to lure careless computer users into opening mail infected with the Small.DAM Trojan. Fierce winds were battering Europe simultaneously with the release of the messages.
The Trojan was launched when users clicked on attachments to the messages that said “Full Clip.exe,” “Full Story.exe,” “Read More.exe” and “Video.exe.”
Different Variations
However, the perpetrators also sent similarly infected, but differently titled, messages to thousands of other inboxes. These messages titillated readers into clicking the attachments by suggesting they would see videos of U.S. Secretary of State Condoleeza Rice kicking German Chancellor Angela Merkel which, unlike the storm, did not actually happen.
Others offered information or video pertaining to “British Muslims Genocide,” “Naked teens attack home director” and “A killer at 11, he’s free at 21 and kill again!”
The interesting part of the attack was the creativity and timing, according to Graham Cluley, senior technology consultant for Sophos. “Everyone is concentrating on the storm angle of it, which is only one headline of course,” he said. “That was topical in Europe, where we’ve had some very, very bad weather. But another worthwhile thing to consider is the way they were trying to use humor to get people to open the mail as well.”
Many people enjoy reading jokes or weird news tidbits sent by e-mail, Cluley noted. “People who receive that and think they got a video attached to the e-mail might think, ‘That sounds funny. I might just click on it to have a look.’ This is taking advantage of the way people share jokes and videos. It’s not just the news aspect of it. There is all sorts of social engineering going on here.”
Topical Messages Enhance Effectiveness
The attack shows that hackers are staying abreast of world news. The European storm message was “created and launched literally as the storm raged,” according to Helsinki, Finland-based security company F-Secure.
The attack was powerful and widespread but, apparently, short-lived, F-Secure’s Chief Research Officer Mikko Hypponen told TechNewsWorld.
“This is over,” he added. “They stopped the attack. Whoever sent this isn’t doing it anymore. Looking at the rate of e-mails being sent, we believe they were targeting European users and it was a nine-hour window starting [Thursday] night and finishing at about 10 a.m. [Friday morning].”
The storm-related message was apparently meant to be awaiting users in the morning, according to Hypponen.
“The people woke up and saw news about a massive storm,” he explained. “They went to work and found an e-mail about the storm in their inboxes. Of course it’s going to work much better than the usual attack. They gained access to probably tens of thousands of computers in Europe.”
Zombie Network
The hackers, before the Thursday-through-Friday attack, had already gained control of thousands of PCs by prior malware infection, Hypponen noted. “They instructed those computers to do this 10-hour spam run. They had a very large [zombie] network. Now it’s much larger.”
The “huge attack” might have worked too well, in a sense, suggested Sophos’ Cluley. “The fact that this is making headlines actually works against the hackers” because so many people and antivirus companies are now aware of the incident, thanks to its creative and “colorful” nature.