Storm Worm Uses YouTube Ruse

Spammers are distributing the Storm Trojan via e-mails purporting to be from friends and containing a false link to a YouTube video.

Security pros are warning that distributors of the Storm Trojan are now using a YouTube video to lure users.

Contained in e-mails with subject lines such as "sheesh man what are you thinking," the malicious link claims to go to, but actually goes to a URL harboring exploit code.

"This is the first [YouTube] lure that the Storm folks are using but not the first that has used YouTube in the past," said Dan Hubbard, vice president of security research at San Diego-based Websense. "There are a variety of e-mail subjects and bodies but basically they request you to view a video."

Dave Marcus, security research and communications manager at McAfee, based in Santa Clara, Calif., advised people to use caution when clicking on links in e-mails. Clicking on the attachment associated with this particular attack will infect the victims machine with the Nuwar worm, Marcus said.

"Malware writers continue to use social engineering tactics to infect a users machine with a copy of Nuwar, this time latching on to the popularity of YouTube to lure people into clicking on the URL," he said. "We expect these spammers to continue to use these types of tactics and it will be imperative that users get educated on how to avoid becoming a victim."


Click here to read more about the Storm Trojan.

A study released Aug. 27 by Websense found that 12 percent of responding IT managers working for SMBs (small and midsize businesses) had no way to enforce their businesses Internet usage policies. The report surveyed 450 IT managers and employees within the United States.

The study also found that business-owned computers were left vulnerable to security threats for more than 21 days, on average, despite the daily updates promoted and offered by operating system and anti-virus vendors. Only 4 percent of SMB employees surveyed had daily security updates on their work PCs and 11 percent said the security software on their work PCs had never been updated.

The results are bad news for those concerned about the spread of the Storm Trojan and other malware. According to researchers at McAfee, users who fall for the latest Storm Trojan ruse are directed to a site containing an image that tags back to YouTubes logo.

In the background, an embedded, obfuscated JavaScript routine launches several browser and application exploits to infect the users machine with a copy of W32/Nuwar. In addition, if a machine is fully patched, the malware author has a backup plan—wording on the Web page meant to entice users into manually downloading the virus.

Hubbard said the overall resources of the attackers, the planning and the resilience built into the infrastructure are why the Storm Trojan remains such an active attack.

"This is clearly planned out," he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.