Network News

X My Profile
View More Activity

Blogspot Blogs Help Spread Storm Worm Attacks

In an attack that showcases what cyber criminals have in store for Web 2.0 next year, the individual or group behind the Storm worm is distributing new versions of the malware with the help of hijacked and newly-created Google Blogspot blogs.

The Storm worm, one of 2007's most prolific e-mail-borne Trojan horse programs, has always come wrapped in holiday-themed messages or disguised as videos from some recent high-profile news event. The latest Storm versions -- predictably spammed out as Christmas and New Year's greeting cards - don't break with that tradition. It urging recipients to click on a link that then tries to install the Trojan through hook (unpatched Web browser vulnerabilities) or by crook (tricking the user into believing he or she needs to install some "video codec" to view the holiday message).

The twist with the new attacks is that someone has apparently planted the malicious Storm download links on hundreds of Google Blogspot pages (hat tip here to Steven Adair of the Shadowserver.org crew). A Google search for Blogspot blogs that contain links to the malicious Web sites -- "uhavepostcard.com" and "happycards2008.com" (do NOT visit these sites)-- shows plenty of Blogspot blogs that appear to be hosting links to the Storm download sites.

The image on the right shows a link to one of the Storm download sites embedded in a Blogspot blog called "Women's Writes Movement."

At least two of the Blogspot blogs turned up in that search belong to security experts who have been chronicling these latest Storm tactics (incidentally, both trace the source of the malware back to the infamous Russian Business Network).

Why bother with linking to the Storm download sites on Google blogs?

According to the curator of RBNExploit, the Storm worm author(s) can use the tainted Blogspot blogs as yet another way to redirect traffic to Storm download sites. The fake Blogspot links also may prove useful in helping the bad guys evade anti-spam defenses. Whatever the reason, if the Storm worm author(s) deem the use of Blogspot blogs to have helped their campaign, we will likely see more of this tactic in 2008.

Security Fix recently was made aware of another, unrelated way that criminals are using Blogspot blogs to redirect traffic toward malicious sites. Clicking on links anywhere on this Blogspot site -- which appears to be a strange mock-up of a Bank of America phishing e-mail - takes you to a nicely-done Bank of America phishing site that is still active as of this writing.

This particular phishing site uses what's known as a man-in-the-middle attack, so when you pass your logon credentials to the phishing site, it will actually log you in at the real Bank of America Web site while stealing your credentials.

Update, 1:49 a.m. ET, Dec. 29: Anti-virus maker McAfee's security blog warns that a number of Google blogs are being used as the staging grounds for a separate spate of malware attacks. According to McAfee, the fake blogs turn up when people search for news on the assassination of former Pakistani Prime Minister Benazir Bhutto. The blogs claim to host video footage of the assassination, but visitors are asked to install a special video "codec" in order to view the movies. Those who agree will have their browsers whisked away to a slew of sites that try to install spyware.

These video codecs are almost always a malware trap, so don't fall for them. A good rule of thumb is -- if you didn't go looking for it, don't install it. And of course, standard Storm worm advice: Avoid clicking on links (or images) in e-mails that you were not expecting.

By Brian Krebs  |  December 27, 2007; 8:38 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Updates for Flash, Opera
Next: The Mysterious Unsent 'Bounced' E-mail

Comments

Brian & Rob --

Thank you for a past years worth of excellent work in helping to keep all of us informed.

Merry Xmas & Happy New Year

Happy Hanukkah & Merry Kwanzaa

________________ & ______________

Bruce

Posted by: brucerealtor@gmail.com | December 27, 2007 10:47 PM | Report abuse

How are they able to plant the links on the blog sites? Via flaws in the blogging software?

For home users, I good way to defend against this is via a blocking hosts file. See http://www.mvps.org/winhelp2002/hosts.htm

While the current hosts file does not include the current Storm Worm domains listed in the article, they can be easily added.

This issue is also a good example of how a layered defense can help protect your system. Don't just rely on one layer like Antivirus. Also patch ALL your software as the exploits commonly use flaws to do their work.

But most importantly, use a limited user account since these exploits attempt to write to places such an account does not have write access to and thus could be thwarted.

Posted by: TJ | December 27, 2007 11:50 PM | Report abuse

I have a blogspot blog. How can I search to see whether my blog may have been hijacked? Please let me know how you typed the search- you just searched for the worm file name?

Posted by: Wilbrod | December 28, 2007 1:51 PM | Report abuse

@Wilbrod -- You should be extremely careful not to visit any of the sites turned up in this search. That said, you can find them doing an "Advanced Search" on Google: Just type: site:blogspot.com + "happycards2008.com"

substitute the happycards2008.com bit for the other Storm download sites, such as uhavepostcard.com and a few others, and you'll see most of the blogspot blogs I found.

Posted by: Bk | December 28, 2007 2:27 PM | Report abuse

I'm sure you've already done this, but just in case:

please pass the information along to Google's security team so that they can take action.

Posted by: Ken L | December 28, 2007 4:07 PM | Report abuse

Thanks very much, Brian, for this past year's worth of informative blog posts. Best wishes for the new year!

Posted by: t_joe | December 28, 2007 9:00 PM | Report abuse

Google's security website is here:
http://googleonlinesecurity.blogspot.com/

Google is too busy cracking down on paid links to clean up the storm worm content in the search results, and in the blogspot blogs.

Do a google blog search for any content you have written on a blog. There will be 5-20+ results for the same text from spam blogs. Click on any of the spam blog results (not recommended due to trojans and viruses), and you will see 2 or 3 google ads on the page.

If google was serious about the "integrity of its search index", or about the security of its products, then they would have undergone a major campaign to combat these problems on search results and spam blogs. As it is, it is going on a few years and they have said almost nothing, and their efforts to date have been woefully inadequate.

Posted by: Anon | December 29, 2007 12:50 AM | Report abuse

Thanks to all who left kind words in the comments above. Much appreciated.

I should clarify, since apparently this piece was misinterpreted in another story that cites Security Fix: The two Blogspot blogs I mention and link to above that belonged to security researchers did NOT contain the malicious Storm download links per se. Rather, those two sites showed up in the Google search for potentially infected Blogspot sites because they were trying to explain how the attack worked and in so doing mentioned the name of the malicious executable file that I searched for (a la the instructions I gave above in the comment response to Wilbrod.)

I hope that clears things up, and my apologies if that was unclear.

Posted by: Bk | December 29, 2007 1:43 AM | Report abuse

That's the reason I don't use Google Search. They don't care about security.

Posted by: doc_chari | December 29, 2007 11:19 AM | Report abuse

I'd like to make aware to others that it isn't just the Storm worm being spread but regular old malware as well. I have a write up about it here:
http://temerc.com/phpBB2/viewtopic.php?t=4121&highlight=

I'm trying to get some attention\action taken by Google. But it seems all anyone is interested in is the 'big name' stuff.

Posted by: TeMerc | December 31, 2007 3:43 AM | Report abuse

Will this effect any of us with Mac OS operating systems? Just curious.

Posted by: ella | January 2, 2008 12:47 PM | Report abuse

Hello!
Nice site ;)
Bye

Posted by: VIEWSTEXTDEVE | January 25, 2008 11:38 AM | Report abuse

Have you seen the new script who show google ads in flash?
that script on http://flashsense.blogspot.com

Posted by: flashsense | February 22, 2008 6:37 AM | Report abuse

Hello !

Now you have the opportunity to save your time and money!

With US based pharmacy store you can buy any medications you need!

Forget about prescriptions and doctors. Now you save your time.

Forget about high prices at local stores. Save your money now!

Secure purchase, instant shipping, friendly support at your service!


Go visit http://pillsbest.belhost.info/
[url=http://pillsbest.belhost.info/][/url]



Posted by: stvsonchek | April 2, 2008 4:53 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company