Storm Worm posing again as video codec

Maybe it's because of all of the attention 'Kraken' is getting but another malicious spamwave has begun. When talking about convincing users to install something, we have to warn you about Storm Worm (again). It has started a new campaign to convince users to install a video codec called 'Storm Codec' (yes really!!!).

Today the Storm Botnet is spamming out links to its latest website inside love themed emails. As is usual for Storm, the spam emails contain a short message and a link. Some subject lines are 'Just you and me', 'For you...Sweetheart!', 'My heart was stolen' and 'Only you'.

This latest website asks the user to download and run the ‘Storm Codec’. Not surprisingly the files StormCodec.exe and StormCodec8.exe, which are linked to by the image of a media player and the ‘Download it’ link, are in fact Storm variants. (Source: Marshal)


Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.

If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

In the end though, it’s still the unsuspecting users who become collateral damage of all this brouhaha. Users are thus advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore, lest they lose the much coveted site traffic to other sites (YouTube, anyone?). Come to think of it, if someone really loves a person that much, he or she won’t have that person go all through the trouble of finding the appropriate codec, right? (Source:Trendmicro)

The funny thing is that when googling for some more information, I encountered a codec on called Storm Codec 7.01.19 made by Storm. The file is a hefty 23MB and the site claims that it is verified and virus free. It's probably too big to upload to virustotal but some of the virusscanners I have also claim it's clean. Maybe a freak coincidence? More experimentation to follow.

Anyway, most users won't know the difference between Storm Codec and some of the real codecs they need to play online media. So educate you peers.

1 comment:

kurt wismer said...

indeed - let's educate our peers to not play codec roulette in the first place