New Attack Sites Push Storm Worm onto PCs

Just about a week ago, I wrote about the Storm Worm's swift spread, and how it may signal an upcoming change in tactics for the multi-function bot malware. At the time, I wrote that the only good thing about it was that the malware spread via e-mail, so if you were smart enough to exercise due caution with unexpected e-mails you'd be safe from the Storm Worm.

Sadly, that's no longer true.

I just heard from Don Jackson, a researcher at SecureWorks, who found that there are now attack Web sites that attempt to bust your browser and hit you with a Storm Worm drive-by-download. Jackson said he has found about a dozen such sites so far, but more may turn up as Google indexes the compromised sites, which will make it possible to discover them with a Web search.

The sites are primarily small, seemingly innocent sites such as hobby sites or community forums, he says. One compromised site hosted a forum for Macintosh users (it has since been cleaned). Jackson says he hasn't found a common vulnerability in the sites, so he can't yet tell just how the sites are being infected.

The poisoned sites so far launch an iFrame attack that contains a combination of exploits. Two go after older vulnerabilities in Internet Explorer (ADODBStream and WebFolderView) and one targets a Quicktime flaw, so make sure both those programs are up-to-date. Secunia recently released a useful free utility that helps identify out-of-date apps on your computer, and makes it relatively easy to get patches.

Also, you can expect the Storm Worm to continue to spread via e-mail, so be extra careful of unexpected e-mail attachments and links, as always. I'd guess that we may start to see e-mails that include links to these newly compromised Web sites.

Comments

Post a comment Post a comment

0 / 1000 max characters