Massive Spam Shot of "Storm Trojan"

jcatcw writes "Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through email. 'Expect this to grow much larger,' a Postini spokesman said; 'It should top out at 60 million messages within the next 24 hours.' It's the largest attack in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. The spam carries a ZIP file attachment posing as a patch with subjects such as Worm Alert!, Worm Detected, Spyware Detected!, or Virus Activity Detected."

Comment removed

[account_deleted]

Comment removed based on user account deletion

maybe the problem...

[darkvizier]

...is that malware has better installation instructions than any of our other software. When people see documentation, it's like a dream come true!

Ah... disillusionment. :-)

Mail server filters

[TheBracket]

We have a set of filters in place that scan every incoming message (for viruses, spam, etc.). It looks like in the last 24 hours or so we've blocked a few thousand of these. They seem to be coming from all over the place, with a variety of subject lines. We block any IP that sends us malicious messages more than twice in an hour (the block stays up for 24 hours, I think), so the 2-3,000 we've blocked could be a drop in the ocean - or may not be. That's still a lot more than we get for most incidents like this.

Re:Too much privilege!

[MindStalker]

You could make the argument that as viruses have been around for a long time MS had a reason from the start to build it right.

Lets say there was no laws governing seat belts. And theoretically after seat belts where already in wide use among the new.. flying cars that a few people drove. Fly Systems finally invents the flying cars for the average Joe. It really takes off and now almost everyone has a Fly System car, but Fly Systems REFUSES to sell cars with seat belts, despite a market demand. Sure you can buy add-in seat belts but they never work just right.. Would Fly Systems be partially liable?? I don't know but its an interesting legal question.

Inoculation

[dremel]

A good campaign of email virus inoculation should do the trick. Start a series of spam which looks exactly like a virus, but just puts up a "If this were a virus, you'd have just infected yourself!" message, thus training users to just don't open it!

Possibly add a link or button (perhaps labeled "Click Me!") which puts up a follow-up message for the especially thick user: "For heaven's sake, you're just making it worse. Quit clicking these things!"

A day in the life of a spam filter

[gvc]

If the CEAS Live Challenge [slashdot.org] had occurred over the last 24 hours, participants would've had to deal with several copies of this virus. Note how it morphed from news headlines to greeting card lines over the course of the day.

USA Missle Strike: Iran War just have started attach="News.exe"
Israel Just Have Started World War III attach="Video.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Here.exe"
USA Missle Strike: Iran War just have started attach="News.exe"
USA Just Have Started World War III attach="Read More.exe"
Iran Just Have Started World War III attach="Movie.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Me.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Video.exe"
USA Just Have Started World War III attach="News.exe"
I Love You Because attach="flash postcard.exe"
You're In My Thoughts attach="postcard.exe"
You're In My Thoughts attach="flash postcard.exe"
Love Remains attach="Love Card.exe"
Inside My Heart attach="greeting card.exe"
A Kiss So Gentle attach="Postcard.exe"

Re:Nope

[TFGeditor]

"I'm not seeing any statistically significant increase in either what's being blocked or what's being accepted by any of the MTA's I manage. Also, Trend Micro's spam stats don't show any major jump in activity either."

I hope you are right, because I have had an epiphany and am now one of those who decry the "clueless users/lusers" responsible for letting their machines become infected and recruited into botnets.

I used to have sympathy for them, but as botnets proliferate and my mail servers get pounded even harder by spam et al, that sentiment is becoming harder to conjure up.

I am on the verge of joining the "computer users should be licensed" ranks.

[sigh]

Re:Another day in the world of near-monoculture.

[gvc]

Who said it's Windows malware?

Um, the payload is a .exe file. [symantec.com]

I thought I'd be a smart-ass and show you that it didn't run on Linux. But, damn! I have Wine installed.

./News.exe Could not stat /mnt/cdrom (No such file or directory), ignoring drive D:
err:win32:PE_fixup_imports No implementation for lz32.dll.2(LZCloseFile) imported from F:\News.exe, setting to 0xdeadbeef
wine: Unhandled exception, starting debugger...

Re:computer IQ test?

[parkrrrr]

31.

You didn't specify a base.

Re:Nope

[Ilgaz]

I choose to report my spam instead of ignoring so believe or not, I saw a single Canadian IP spamming (sending that worm) to 3 different mailboxes which has nothing to do with eachother. I even added to spamcop.net report comment "Please take care of this IP" and added the kaspersky virus ID. Guess what happened in return? A kind "thank you we took care of it" from Canadian ISP? No, 2 more spams from same IP! :)

I have checked the senderbase.org entry and it says like 3500% volume increase over 1 day from that IP!

Still, as old timer I feel uncomfortable posting the IP on web whether it is spammer/worm infected or not. I mean that worm really took off, perhaps the owner of botnet finally accepted the price offered by mob,mafia whatever using it. Yet again, no worries, Clam detects even without opening that password protected zipped junk.