Storm Trojan gets second wind

An outbreak of spam 'confirmation' log-in emails is trying to con people into visiting a website infected with the Storm Trojan.

If the victim clicks on the link in the emails, which claim to have been sent from the technical support departments of legitimate organisations, the trojan will then attempt to download itself using vulnerabilities in the user's browser. In this case the file is called 'applet.exe'.

The infected PC can then be hijacked and used as part of a botnet to launch other criminal activities online.

Bradley Anstis, product management director for security company Marshal, said: "We are seeing significant volumes of 'confirmation spam' hitting inboxes. "

Storm first appeared in January 2007 and quickly proved successful in fooling people into using the links. Marshal said current emails are the latest attempt by the criminals behind this trojan, which has previously used current affairs headlines and over the summer, e-cards, to give the spam legitimacy.

"These criminals are clever and highly adaptive. This outbreak is the latest in a string of underhanded social engineering tactics used by the same individuals responsible for the Storm Trojan and designed to fool unsuspecting email users into infecting themselves and propagate this botnet," said Anstis.

According to the Marshal TRACE team, the latest spam uses text such as "for security purposes, please log in and change the temporary Login ID and Password".

The messages appear to come from the technical support departments of a range of organisations with names designed to generate the interest of the broad public, such as "Joke-A-Day" and "Web Players".

The links appear as an IP address rather than a more normal URL - eg http://213.161.89.20/. The current email link leads to a website with malicious code which may exploit vulnerabilities in your browser.

Previous examples of the headlines used by this team of criminals included, "Saddam Hussein alive!" and "Chinese missile shot down by USA aircraft".

Since then they have used the guise of greeting cards to infect computers with subjects ranging from the 4 July to thank you cards.

The 'confirmation spam' outbreak has been launched by the same group that launched the Hot Pictures spam campaign earlier in the week. Previously these spam campaigns, like the greeting card campaign, would last for weeks at a time.

"Now however, spammers are modifying or launching new spam campaigns almost daily," said Anstis. "Our advice to anyone who receives a message like this from a person they do not know, or have not heard from for a long time is to delete it without opening it. Certainly, don't click on the link in the message and don't click OK if it asks to download a file."