The infamous Storm Worm, which we have seen laid out and watched infect many PCs in many different ways, is back yet again. This time, new iterations of the worm and the authors behind it have changed their tactics, attempting to spread it via email hoxes that attempt to install software on a PC.
The mails seems to be fairly easy to identify, having many common characteristics such as the subject line:
The new emails bear subject headings such as "User info," "Membership support" and "Login information," and contain purported login credentials for sites that offer the gamut of services tailored to online music aficionados, cat lovers and poker players, according to this post by F-Secure.
Earlier in the year and even far back as last year we heard many security companies, such as anti-spam Appriver, discuss how the Storm Worm was one that would stick around, mutating at various points and using many different tactics. That's quite common among worms today, but the level of coordination behind this one has caught the eye of many. In particular, the newer tactics this worm uses make it difficult for some programs to remove:
The binary morphs about every 30 minutes, making it particularly hard for antivirus programs to identify it as malware. Indeed, earlier on Tuesday, only 14 of 32 anti-virus programs detected a version of the applet Ullrich had downloaded.
Interestingly, the applet installed by this latest mutation has other tricks up its sleeve – such as refusing to run if it detects it is on a virtualized host, such as in a VMWare session. As tactics like these emerge more often, the tactics used to combat them will need to evolve as well.