Storm worm linked to spate of DDoS attacks

Spammed malware attacking anti-spam sites, rival worm bases.

The fast-evolving malware spammed in waves since the new year, dubbed the 'Storm Worm' in the media thanks to the weather-related subject lines of many early versions of the emails used, has been linked to DDoS attacks on a variety of anti-spam sites, as well as sites hosting rival malware.

According to researcher Joe Stewart of SecureWorks, one of the components either carried in spam messages or downloaded by trojans spread by the Storm Worm campaign is a variant of W32/Nuwar. This mass-mailing worm was seen late in 2006, and got its name from the nuclear war warnings used to spread via email, a tactic mirrored in the waves of bad news seen earlier this year. Stewart's research reveals that one of several components downloaded to infected machines attempted to carry out denial-of-service attacks on developers of anti-spam and anti-rootkit technology, both techniques used by the worm. Attacks also took aim at sites hosting W32/Stration (aka Warezov), a rival spam worm, and this is thought to be indirectly behind attacks on SpamHaus a few weeks ago, after the Stration hosters redirected their heavy traffic to the SpamHaus domain.

The majority of these DDoS attacks took place in mid-January, and may no longer be in use by the latest versions of the malware, which continues to evolve as wave after wave of worms and downloaders are launched, each slightly tweaked to evade detection. Early use of bad news subject lines in the spammed emails has given way to romantic messages, in time for Valentine's Day celebrated later this week.

There is no evidence to link these attacks with the large DDoS launched against major DNS servers last week. Full details of Stewart's analysis can be found here.

12 February 2007

Tags: del.icio.us digg this