Security Watch

Keeping Track of patches and hacks in the IT security world.

New Storm Worm Spreading Via Blog Posts

A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are leaving on blogs.

Dmitri Alperovitch, principal research scientist at Secure Computing, told eWEEK that the worm is injecting itself into the operating system as a rootkit and is capable of intercepting Web traffic.

When a user with an infected system visits a bulletin board or posts to a blog, the worm inserts a malware into his or her comments. The line asks readers to look at a fun video and contains a link leading to a Web site where the malware is waiting to reinfect more users.

The worm is taking over PCs, Secure Computing reports, giving the criminal control for multiple purposes: sending spam, launching DDoS attacks and running keyloggers.

Alperovitch said that Googling for the different domains from which the worm is working results in several hundred postings that already contain links to the malware. "Probably the population [of infected machines] is more extensive because not everybody posts," he said. Secure Computing is tracking six domains, all posted on the Estonian register, which has been associated with a large volume of malware in the past.

Also notable in this worm is that it's using server polymorphism—i.e., it contains self-modifying code that changes automatically every time it is downloaded. This worm form has been around "for ages," Alperovitch said, such as in the Bagle worm. Morphing worms are designed to avoid antivirus signature detection, and so far, Alperovitch said, it's working, as few major antivirus vendors have detected it.

To avoid infection, the advice is to refrain from clicking on the "fun video" link.

It's easy to find out if you're infected, Alperovitch said, simply by going to a Web board and posting a message. "If it's adding something to your post you didn't add, you know it's infected," he said.