Blogspot Blogs Help Spread Storm Worm Attacks
In an attack that showcases what cyber criminals have in store for Web 2.0 next year, the individual or group behind the Storm worm is distributing new versions of the malware with the help of hijacked and newly-created Google Blogspot blogs.
The Storm worm, one of 2007's most prolific e-mail-borne Trojan horse programs, has always come wrapped in holiday-themed messages or disguised as videos from some recent high-profile news event. The latest Storm versions -- predictably spammed out as Christmas and New Year's greeting cards - don't break with that tradition. It urging recipients to click on a link that then tries to install the Trojan through hook (unpatched Web browser vulnerabilities) or by crook (tricking the user into believing he or she needs to install some "video codec" to view the holiday message).
The twist with the new attacks is that someone has apparently planted the malicious Storm download links on hundreds of Google Blogspot pages (hat tip here to Steven Adair of the Shadowserver.org crew). A Google search for Blogspot blogs that contain links to the malicious Web sites -- "uhavepostcard.com" and "happycards2008.com" (do NOT visit these sites)-- shows plenty of Blogspot blogs that appear to be hosting links to the Storm download sites.
The image on the right shows a link to one of the Storm download sites embedded in a Blogspot blog called "Women's Writes Movement."
At least two of the Blogspot blogs turned up in that search belong to security experts who have been chronicling these latest Storm tactics (incidentally, both trace the source of the malware back to the infamous Russian Business Network).
Why bother with linking to the Storm download sites on Google blogs?
According to the curator of RBNExploit, the Storm worm author(s) can use the tainted Blogspot blogs as yet another way to redirect traffic to Storm download sites. The fake Blogspot links also may prove useful in helping the bad guys evade anti-spam defenses. Whatever the reason, if the Storm worm author(s) deem the use of Blogspot blogs to have helped their campaign, we will likely see more of this tactic in 2008.
Security Fix recently was made aware of another, unrelated way that criminals are using Blogspot blogs to redirect traffic toward malicious sites. Clicking on links anywhere on this Blogspot site -- which appears to be a strange mock-up of a Bank of America phishing e-mail - takes you to a nicely-done Bank of America phishing site that is still active as of this writing.
This particular phishing site uses what's known as a man-in-the-middle attack, so when you pass your logon credentials to the phishing site, it will actually log you in at the real Bank of America Web site while stealing your credentials.
Update, 1:49 a.m. ET, Dec. 29: Anti-virus maker McAfee's security blog warns that a number of Google blogs are being used as the staging grounds for a separate spate of malware attacks. According to McAfee, the fake blogs turn up when people search for news on the assassination of former Pakistani Prime Minister Benazir Bhutto. The blogs claim to host video footage of the assassination, but visitors are asked to install a special video "codec" in order to view the movies. Those who agree will have their browsers whisked away to a slew of sites that try to install spyware.
These video codecs are almost always a malware trap, so don't fall for them. A good rule of thumb is -- if you didn't go looking for it, don't install it. And of course, standard Storm worm advice: Avoid clicking on links (or images) in e-mails that you were not expecting.
Posted by: email@example.com | December 27, 2007 10:47 PM | Report abuse
Posted by: TJ | December 27, 2007 11:50 PM | Report abuse
Posted by: Wilbrod | December 28, 2007 1:51 PM | Report abuse
Posted by: Bk | December 28, 2007 2:27 PM | Report abuse
Posted by: Ken L | December 28, 2007 4:07 PM | Report abuse
Posted by: t_joe | December 28, 2007 9:00 PM | Report abuse
Posted by: Anon | December 29, 2007 12:50 AM | Report abuse
Posted by: Bk | December 29, 2007 1:43 AM | Report abuse
Posted by: doc_chari | December 29, 2007 11:19 AM | Report abuse
Posted by: TeMerc | December 31, 2007 3:43 AM | Report abuse
Posted by: ella | January 2, 2008 12:47 PM | Report abuse
Posted by: VIEWSTEXTDEVE | January 25, 2008 11:38 AM | Report abuse
Posted by: flashsense | February 22, 2008 6:37 AM | Report abuse
Posted by: stvsonchek | April 2, 2008 4:53 AM | Report abuse
The comments to this entry are closed.