Warning: The Storm still rages on

Security vendor Symantec has warned that the Storm worm, the malware which contributes to the Storm botnet, is continuing to evolve and now has two further possible avenues of attack.

A number of nascent Storm hosting domains using fast-flux techniques to mask their URLs have been identified by the security company, which issued a warning this week. Fast-flux service networks are networks of compromised computer systems with public DNS records that are constantly changing, making it more difficult to track and control criminal activities.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

The security vendor claimed that these domains so far do not directly attempt to upload attack code. However, modifying the URL runs a script which attempts to exploit vulnerabilities in various applications, including AOL, Microsoft Internet Explorer, MySpace and RealNetworks RealPlayer.

The two possible avenues of attack are spam with links to the as-yet-unlinked-to fast-flux sites, or injecting malicious iFrame tags into legitimate websites, which would download malware onto users' machines, warned Symantec. However no such spam has been reported, the security specialist claimed.

Symantec vulnerability researcher, Vikram Thakur, said in a blog post: "What's interesting about this is that we have yet to come across any spam that may result in people visiting these domains. This is very unusual. It is also interesting to note the move from simply using social-engineering techniques to spread malware to actually exploiting vulnerabilities. In the past, the Storm worm authors would directly link to malware on websites or within spam emails. The malware wouldn't check for any particular vulnerability before planting its seed."

Thakur noted that third-party applications rather than operating-system vulnerabilities were being targeted but that "only time will allow the method employed in this wave of attacks to be confirmed".

Some security vendors have reported that the influence of Storm is waning. Storm researcher Jon Stewart, director of malware research for security vendor SecureWorks, wrote on 8 April that the Storm botnet was "only a fraction of its former self and is rapidly becoming a minor player". However, Stewart noted that the botnet was still capable of sending more than three billion spams per day.

The Storm worm botnet, a network of compromised computers, has been estimated to control between one million and five million machines, which one researcher said makes it more powerful than IBM's Blue Gene/L supercomputer. The original Storm worm code, which appeared on 19 January 2007, derived its name from the fact the first spam linking to the malware coincided with a severe winter storm in Europe.

Original article: Symantec: Evolved Storm worm attack brewing from ZDNet UK