The authors behind a specific strain of malware are trying every trick in the book to get users to succumb to their ill-meaning plans. You name it, they've used it: weather news, personal greetings, reports that Saddam Hussein is still alive, reports that Fidel Castro is dead, sexy women, YouTube, and even blogs. The group seems hellbent on creating the largest botnet to date, and they just might do it.
The "Zhelatin gang"—named after the trojan it installed—was responsible for what started out as the "storm worm." First spotted earlier this year, the spread of the "storm worm" started via e-mails purporting to provide information on some dangerous storms in Europe at the close of January. Users who fell for it were directed to a web site containing malicious code aimed at turning Windows PCs into spam bots.
It was a success, if you can call it that; Symantec security response director Dave Cole told InformationWeek in late January that the worm had accounted for 8 percent of global virus infections after a single weekend rampage.
Over time, e-mails containing links to the "storm worm" took on many forms, from supposed missile strikes to reports of genocide. Then last month security firm F-secure noted that the Zhelatin team had switched gears and was focusing on greeting-card spam. The e-mails originally directed users to a web site that prompted the download of ecard.exe, but eventually morphed slightly so that the link pointed to a site that claimed the user needed to install "Microsoft Data Access" in order to view the card. Naturally, this download installed a trojan on the user's computer for the purposes of relaying spam.
And that's when the changes began to speed up. Zhelatin changed its game mid-week to suggestive e-mails from lonely females, which prompted end users to click a link to see what they could do if they "get lonely." Days later, however, security firm Sophos noted that the e-mails had changed once again, this time to spam claiming to contain a link to an awesome new video on YouTube. Same tactic, same virus.
The "Blogging" worm
But if promises of Kelly Clarkson's latest music video in e-mail weren't enough, the worm has now switched its focus to blogs. Unlike the typical "comment spam" that many of us have grown used to on our personal blogs, the worm is actually getting into people's Blogspot accounts and creating new blog posts with links to the trojan.
Security software firm Sunbelt Software speculates that the posts are being made through Blogspot's mail-to feature, where users can e-mail their blog entries to specific addresses in order to have them posted to their blogs. This theory seems to make the most sense, as the worm would just need to comb the user's local contact list and send itself out to everyone on the list, including Blogspot. Heise Security notes that not all of the links work: "they appear to be referencing dynamically assigned IP addresses of infected computers and these computers are at the time either offline or have already been assigned a different IP address."
We may never know whether the Zhelatin gang even meant for the worm to spread to blogs, but the group is probably happy that it did. Heise estimates that, as of early August, 1.7 million computers were infected worldwide as part of a massive botnet, and that number has surely escalated since then. Heise warns that this size could prove a very dangerous threat: "[A]lthough the network has so far been primarily used to send spam, it could also be used for DDoS attacks on businesses or even countries."
Just how many computers are part of the botnet is anyone's guess, but estimates from some security firms are reaching as high as 10 million. Just last June the FBI warned that it had discovered more than a million PCs in a botnet. This looks to be just the tip of the iceberg.
reader comments