[Infowarrior] - Storm Hits Blogger

Richard Forno rforno at infowarrior.org
Fri Aug 31 12:26:06 UTC 2007 

Storm Hits Blogger
The ubiquitous Storm Trojan has found a new home ­ on spam blog sites in
Google's Blogger network
http://www.darkreading.com/document.asp?doc_id=132793&WT.svl=news1_1

AUGUST 30, 2007 | 4:53 PM

By Kelly Jackson Higgins
Senior Editor, Dark Reading

Careful whose blog you're reading these days: Researchers have discovered
the Storm Trojan nestled in hundreds of blog sites in Google's Blogger
network.

This Storm infection is not simple comment spam, where spammers post their
junk messages and malware as blog comments. "These are blogs that post
spam," says Alex Eckelberry, CEO of Sunbelt Software, who has been studying
the posts. He says he hasn't seen any legitimate blogs bites being hacked
and sprinkled with Storm, but he's still researching the trend.

Eckelberry, who first discovered Storm executable files on several blogger
sites this week, says Storm is showing up on blogs that use the
mail-2-blogger feature, where bloggers can post via email. Google does have
a CAPTCHA defense in place to prevent this kind of infection, requiring some
bloggers to manually enter their code in order to post their blogs.

"But these guys are somehow flying under the radar," Eckelberry says. "I
have no idea how they are doing this."

One site he found that's laden with Storm as well as spam junk is
http://www.visionbuzz.blogspot.com/, for instance. And a Google search for
Storm's infamous keywords, including "dude what if you wife finds this" and
"man your insane," comes up with hundreds of blog sites, he says.

Storm is often referred to as a worm, but it's technically a Trojan. It
relies on social engineering, with a tempting message and link, and it's all
about expanding spam and the underlying botnet behind it, notes Joe Stewart,
senior security researcher for SecureWorks. Although it's less dangerous
than a traditional worm, it ranks in the top five most prolific threats, he
says.

"You're not in danger of identity theft -- it's really not all that
dangerous to the person who's been infected... It's really more dangerous to
the Internet architecture as a whole," he says.

The Trojan gives Storm's bot army the ability to launch powerful distributed
denial of services attacks, Stewart says. "But that's not its only purpose.
It's also to make money, [such as from] stock spam."

"It's very disturbing to have Storm executables being linked onto sites we
can control. But blog sites that Storm is operating off of are hard to
control," Eckelberry says. "We've been working with Google in getting this
shut down, and Google has been very helpful."

Why are the bad guys starting to plant Storm executables in blogs? "It's all
about the numbers," says Randy Abrams, director of technical education for
Eset, an anti-malware vendor. "The more places you can get the links out to,
the more uneducated users you will trick into clicking on them and then
infecting themselves. This, in turn, expands the botnet, which increases the
profitability of [the exploit]."

More information about the Infowarrior mailing list