A new variant of the "Storm" Trojan is injecting itself into blogs, web-based message forums and webmail as part of an effort to spread itself to an ever-widening net of PCs, according to a security researcher.
Dmitri Alperovitch, principal research scientist at Secure Computing, said that the Trojan – best known as the "Storm worm" but also pegged as "Peacomm" and half a dozen other names by anti-virus vendors – is using a novel approach to spread. "This is a really neat twist, through the web channel," said Alperovitch.
An initial infection is still carried out via email, which touts a link that when clicked downloads a number of malware components to a victimised machine. Once on a PC, however, the malicious code injects itself into the network stack as a rootkit and analyses all outbound web traffic.
"It has hooks for boards, email, and blogs," said Alperovitch. When a user on an infected PC posts a message to a forum or blog, or sends a message via popular web-based mail services such as Hotmail, Gmail, and Yahoo Mail, the Trojan adds text to the entry or message.
"It inserts 'Have you seen this link?' along with a link to what seems to be a video," Alperovitch said. Anyone clicking on the link will only find their system infected. "It’s not targeting particular sites. Instead, the code is generic enough to work on lots of sites." Secure Computing has seen evidence of the bogus posting on messages forums, including one for Men's Health, as well as "thousands of blog entries," said Alperovitch.
The Trojan has been making the rounds since January, when it first surfaced and was slapped with the "storm" name because it debuted with subject lines shilling news of damaging weather that rampaged across Europe. Since then, it has been collecting compromised PCs into a botnet of zombies that can be used for sending spam. Other malware downloaded to infected machines tries to steal passwords or uses the PC to launch distributed denial-of-service (DDoS) attacks.
"This looks like it's working," Alperovitch said, adding that users can protect themselves by not clicking on links.