Thursday, March 1, 2007

Avoid "Fun Video" Links in Blogs, Forums

Dmitri Alperovitch, the principal research scientist over at Secure Computing, one of our OEM partners, suggests PC users should avoid clicking on "Fun Video" links in blogs or RSS feeds for the time being.

The Storm worm variant I blogged about yesterday is using both e-mail and Web sites to infect Windows-based PCs by injecting itself into the comments left by blog readers. It propagates by injecting itself into the operating system as a rootkit. Once installed, it intercepts web traffic and attempts to propagate itself.

What this means is that when that infected user next visits a blog, or forum, and posts to the blog or adds a comment, the Storm worm is able to insert malware into the comments or posts. Right now, the inserted line in the comments invites readers to watch a "fun video". Clicking on the link takes the reader to a web site where the whole infection process starts again.

According to Secure Computing, the malware inserted by the worm gives the criminal control of the PC, enabling them to utilize that PC for the purposes of sending spam, launching DDoS attacks, or running keylogger attacks for the purpose of capturing personal information.

They note that the worm is using server-based polymorphism (self-modifying code that changes automatically every time it is downloaded) - technology that is designed to outwit antivirus engines that are heavily reliant on signatures.

Warning: Some antivirus vendors, including some of the big brands, are *not* detecting this variant of the Storm worm. Authentium antivirus *does* detect this variant of Storm - in fact, our malware analysis engine detected this variant, in the wild, the minute it appeared, using our advanced heuristics, which means all Authentium partners were protected at zero hour.

Note to users of non-heuristics-based antivirus programs: to avoid infection, don't click on any links that contain the words "fun video" for the time being. Or better yet, upgrade to an antivirus technology designed to catch this stuff out of the box.

No comments: