While Storm Worm was still active in April posing as a video codec and in March, playing on the April Fools day theme, it recently got a big setback in numbers.
The Storm worm botnet shrank in April to just five per cent of its original size, according to MessageLabs, which conducts a monthly analysis of malware trends.
New tools that remove Storm infections are responsible for the huge fall in Storm-infected machines, the net security firm says. By the end of Aprl the Storm Worm botnet had about 100,000 compromised computers, compared with two million zombie machines in March. The decline is also evident in the 57 per cent slump in malware-laden emails the Storm botnet distributed in April.
While the Storm botnet shrank, analysis of web-based malware identified that 36.1 per cent of interceptions in April were new, up 25 per cent on March. MessageLabs also identified an average of 1,214 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware. This is an increase of 619 per day compared with the previous month.
In the week of 30th anniversary of the first spam message, MessageLabs identified a new spamming technique being used to send authenticated spam email via Yahoo!’s SMTP servers. This spam attack accounts for one percent of all spam intercepted in April and has been used to advertise services for Canadian Pharmacy, a well-known spam operation. By using the SMTP server and a DomainKeys Identified Mail (DKIM) authentication technique, the spammers can ensure that the email generated is more likely to get past conventional anti-spam filters. (Source: The Register)
One of the big reasons was the Malicious Software Removal Tool that Microsoft releases each month as a Microsoft update patch, aimed at removing some well known bot variants.
Microsoft Corp. today took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel.
"They realized they were in our gun sights," said Jimmy Kuo, a principal architect with Microsoft's malware protection center, the group responsible for the Malicious Software Removal Tool (MSRT). Microsoft updates and automatically redistributes the software tool to Windows users each month on Patch Tuesday. (Source: Computerworld.com)
But they shouldn't have been too confident that the botherders were giving up. Since last weekend, it's been rearing it's ugly head again. An analysis by threatexpert.com:
The new version of Storm that was firstly seen over the last weekend now sends a clear message that the Storm group is not ready to give up, in spite of recent reports that Microsoft has used the power of its auto-updates to roll out the Storm bot killer.
Being very similar to its predecessors, the new variant can be distinguished by its deployment method – and that is, the iframe injections.
An iframe with a link to a remote malicious script can be inserted into a blog post so that every reader of that post may have its browser attempting to execute that script.
In order to do nasty things on a client computer, the remote script needs to elevate its privileges. It attempts to do so by relying on a buggy code that is already running inside the client's browser – the buggy (and therefore, vulnerable) ActiveX applets.
The obfuscated script that attempts to install Storm on the client machines targets 8 different ActiveX vulnerabilities.
...
Since last weekend, there were only 5 unique samples of the new Storm seen in the wild. As mentioned above, the new variant is almost identical to the previous builds. As seen in this report, the new Storm now uses filenames libor.exe and gogora.config.
VirusTotal results are low as usual (22%).
Read full analysis.
Related articles:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment