Beware of new variations of Storm Worm Trojan email threats
On July 1, 2007, I wrote a blog article titled "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" For well over a month my various email accounts were inundated with a constant daily flow of these Postcard scams. There is now an entirely new variation of these threats, in circulation World wide. For those who for some reason don't know what this is about (what rock have you been hiding under?), read the next paragraph. If you understand the basic nature of this threat you can skip to my extended comments.
Since sometime in June this year a Trojan Horse threat, called the "Storm Worm Trojan," has been circulating across the Internet, infecting millions of Windows PCs along it's path. At first the subject and message body text referred to ecards, or (greeting) postcards supposedly sent to you from a "Friend," or "Worshipper," or "Class-Mate," or "Mate." They all provided a link (with a numeric IP address in the URL), to visit a website where you could view your card, which would remain viable for "the next 30 days." If you've been on the Internet for a long enough time you are probably aware that URLs are not usually numeric, but are in the form of named websites. Seeing a link that is numeric usually sets off alarm bells! A person would either have to be a total newbie to the Internet, or not accustomed to looking at the destination of links in their email client's status bar, or are using browser based email that does not reveal the destination of links found in emails. Maybe the person receiving that email is a young child who isn't aware of the danger of such links and was excited to think they had received a greeting card.
Anybody who was tricked into clicking on the link was transported to a web page hosted on a compromised zombie computer on a home or business broadband network, located at the numeric IP found in the link they clicked on. This computer is already infected with the Storm Worm and has had a micro Web Server installed on it and is hosting a single web page. That web page contains JavaScript redirection codes and a plain text link to a copy of the Worm that has been placed on that computer. People going to that hostile web page with JavaScript disabled will see the link and the text will urge them to click on it to see their (ecard/message). If the victim arrived using a browser with JavaScript enabled, as most are, a hidden script on that page would send their browser to yet another website, where an image of a fake greeting card, or text about it is displayed. What the victim didn't know is that while they were looking at the fake ecard a hidden download was occurring that was automatically infecting their computer with the Storm Worm Trojan. This turned their computer into both a host of a similar redirection web page and as a sender of spam emails containing a link to their hostile web page, but sent through another compromised computer somewhere else in the World.
Judging by the millions of infected computers hosting these hostile web pages and sending spam links out, there are a lot of folks who have not been practicing "safe hex" (computing). They have not been keeping their Windows computers thoroughly updated and patched, and are not running up-to-date security software (both definitions and program updates). Read the tips in my extended comments about securing your PCs against this and other modern threats to your security.
The new variation of the Storm Worm email messages.
From August 13 onward the subjects and body text have been changing to the point that they no longer mention ecards or postcards at all. Now, the subjects might contain "Tech Department," or "New Membership Confirmation," or "Membership Support," or many random enticing phrases. The new message bodies jive with the subject, as did their predecessors, although the amount of text seems to be reduced. In fact, I have reported a few of these to SpamCop that only contained the word: "click." There is one thing that every single one of these Storm Worm scam messages have in common, to this point; they all contain a hyperlink that starts with http then has a numeric IP instead of a website name, as the destination. At first the URLs contained a question mark and query string, when they were pretending to go to postcards or ecards, but that pretense has now been discarded. The current flavor of the hostile URL looks like this deactivated, imaginary example: ht*p://192.168.103.20/ . If that was a real URL and you copied it and pasted it into a Whois Lookup at DomainTools or DnsStuff, you would find that it belonged to a customer of a major broadband Internet Service Provider. I have seen IP addresses belonging to RoadRunner, ATT/SBC/Prodigy DSL customers, Charter and Comcast cable Internet home and business computers and many computers around the World. Just about any computer running Windows, using any ISP, could become a Zombie victim, unless every possible Windows Update has been applied and every possible security measure has been put in place. These folks don't know that their PCs are members of a Zombie BotNet, owned by the criminals behind the Storm Worm, and that they are sending out spam emails themselves and that they are actually hosting a hostile web page contain the code that leads to the infection sources.
What you can do to protect your PC from the Storm Worm.
The first step in protecting your Windows personal or business computers from Internet Worms and Trojan Horse threats is to obtain every available Critical update and patch issued through Windows or Microsoft Updates. Many of you already have turned on Automatic Windows Updates, thus you receive them sometime on or just after they are pushed out, by Microsoft, on Patch Tuesdays (the second Tuesday of every month). Of course, this assumes that you all are good Netizens and are running legitimate activated and validated copied of Windows 2000 w/SP4, or Windows XP w/SP2, or Windows Vista, or Windows Server 2003. If you are not using legitimate Windows software you may not receive all available updates, or possibly any at all. You are part of the problem and should do the right thing and purchase a valid license, install and validate it, then get all the updates and patches available for your computer.
Second, equip your network with a NAT router between the broadband modem and all of your computers. This hides your computer from direct attack via TCP/IP port attacks by separating your public IP (assigned by your ISP) from your personal computer(s). See my article about Networking for more information.
Third, stop sharing pirated files with strangers via file sharing services! Many of the personal computers of other file sharers are infected!
Fourth, be sure you are using legitimate, up to date, active security software to watch for, scan for, and if found, remove Viruses, Trojans, Rootkits, Keyloggers, Spyware, Adware, Backdoors, etc. There are links all over my blog for various free and commercial anti virus and anti spyware products.
Fifth, install a software firewall to monitor and challenge incoming and outgoing connection attempts to the Internet. Approve your acceptable programs, like your browsers and auto updaters, ftp programs, email clients, and the like, but watch for unexpected popup warnings about strange program files trying to connect to numeric IPs that cannot be explained by your immediate behavior. If you see a firewall warning that some program that is totally unknown to you is trying to establish an outgoing connection on port xxx, and you didn't just install or update anything you are aware of, it just might be a piece of malware trying to "phone home."
Sixth, If you are using Windows 2000, or XP you should not be running as an "Administrator" for your daily browsing account. Virtually every current malware threat requires full Administrator Privileges to install itself into the operating system. Instead, go to Control Panel > "User Accounts (and Passwords)" and create a new password protected account that has Computer Administrator privileges, log off your original account, then and log into the new one. From there, open Control Panel > User Accounts and locate your original account and click Change Account Type. Change your regular account from "(Computer) Administrator" to either "Users" or "Limited User" (Win2000 or XP Home), or "Power Users" for Win 2000 or XP Professional. Log off the Administrator account and log back into your regular account, which will now have reduced, safe, user privileges. I have written these articles about how to use lower user privileges to protect you computer:
* Limited User Privileges Protect Against Malware Infections
* Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses
* Windows 2000 and XP User Account Privileges Explained
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.