The Storm Worm recently hit computers around the world with its attention-grabbing subject line “230 dead as storm batters Europe” last January. Yes, viruses and other malware attacking the masses are hardly worth my while these days. For one thing, I’ve had zero hits with GMail’s no-executable file allowed policy. Second, I’ve been surfing the Internet long enough to tell if an email is suspicious, i.e., too good to be true or not. (Corollary: I’m not a guy.) But a recent strain of the Storm Worm takes it further. It’s this part that has me worried. Dmitri Alperovitch of Secure Computing warns that it’s taking over the blogosphere and the rest of the WWW:
If your computer is infected, the virus can add malicious text to any message you post to a blog or bulletin board. The text says, “Have you seen this?” and is followed by a URL containing the phrases “freepostcards” and “funvideo.”
“The new thing about this virus is the way it propagates. It’s basically filling up Web pages all over the Internet with links to the malware,” says Dmitri Alperovitch, principal research scientist for Secure Computing.
A Google search on Tuesday afternoon located 71 sites containing the link, including message boards hosted by the Salt Lake Tribune and a site about Australian pythons and snakes.
More statistics from a related story:
Secure Computing has seen evidence of the bogus posting on messages forums, including one for Men’s Health, as well as “thousands of blog entries,” said Alperovitch.
Meanwhile, this is Symantec’s own heads-up on the matter:
A variety of bulletin boards are being spammed with the message to visit mailfreepostcards.com (don’t visit that domain!) for a fun video. However, when visiting that site, users are prompted to download an executable.
And we all know what an executable means, right? The breaking news is based on the press release by Secure Computing explaining how the worm works:
The worm installs a component on a user’s machine that analyzes all network traffic via a layered service provider (LSP) integration and dynamically modifies blog comments, discussion posts and webmail-based emails as they are being posted by the user to include a link to the malicious code, thereby propagating itself to other victims.
“And this threat is particularly insidious in that anti-virus detection doesn’t always work. This threat utilizes server polymorphism, which means that it is continuously being repackaged to make the binary appear different to signature-based anti-virus solutions.” With the executable file being changed continuously, it easily sneaks below the radar of the leading anti-virus programs, which are largely signature-based.
Alperovitch only advises against being too click-happy. Google and StopBadware have combined efforts to warn users against visiting shady sites and inform webmasters of malware on their websites, but the first of the two isn’t useful without seamless integration into the browser. Good thing Firefox and Google make a nice pair! How about blogging software—should developers add virus checking as well?
Where does one draw the line? As close as one has to. The important thing is to not be passive about it. Double-check forum messages and blog entries for irrelevant links appended to them first! You might be spreading the virus already.
Free Norton AntiVirus download – – download Norton instantly from Google!