Storm makes house calls: New messages lead to bogus medical sites, evade filters

A Websense Security Lab blog posting on Tuesday reported that new messages being generated by Storm's army of zombie computers contain links that are infected at the root level (such as http://IP address), which enables medical spam sites linked to the messages to evade spam filters.

The Websense blog posted samples of the new Storm messages, which are formatted with an IP address and a short random directory name, with subject lines including, “You won't spend too much for these meds!” A link contained in the message sends the recipient to a bogus professional-looking medical site called “Canadian Pharmacy, #1 Internet Online Drugstore.”

Earlier this month, the Storm worm trojan continued its holiday-themed onslaught – first seen in fake Christmas and New Year's messages – with a massive wave of “love” notes that attempt to deliver malicious code to a recipient's PC.

According to Sophos, the body of each love message directed the recipient to an IP address-based site hosted on the Storm botnet and infused with JavaScript code that attempts to hide the link to malware binary from automated crawlers.

Researchers at Sophos said the Valentine-inspired attack metastasized this month to the point where it was making up almost eight percent of overall email traffic.

The Valentine-themed email blitz came on the heels of two phishing attacks on major international banks that are believed to have been mounted using the Storm botnet, the first such assault on the financial sector emanating from the Storm network, which many researchers believe originated in Russia.

The Fortinet Global Security Research team reported that attackers first targeted Barclays bank, and then shut down their bogus Barclays phishing site on detection by Fortinet and mounted a new attack on Halifax Bank customers, according to Guillaume Lovet, Fortinet Threat Response Team manager.

See original article on scmagazineus.com