Skype messages, blogs, forum entries and webmails lead to more malware variants.
Two major gangs of malware distributors have turned to new vectors for spreading their wares this week. While the makers of W32/Stration (aka Warezov) have been spamming Skype messages leading to copies of their latest variant, the 'Storm' series of trojan attacks has evolved a method of inserting links to its malware into forum and blog postings and webmails sent from infected machines.
The Skype attack involves a simple text message sent via Skype, urging recipients to check out a URL link. The messages come from known addresses, thanks to machines infected with the worm sending out the links to their address books. The link carries yet another variant of W32/Stration, but few infections are so far reported, perhaps due in part to the suspicious nature of the message, which aside from posting an unusual-looking URL, also closes the connection as soon as the message is left.
A screenshot of a sample message posting can be seen on the F-Secure blog, here.
The 'Storm worm' gang has also branched out into new territory, with a sophisticated piece of code which recognises when an online form is being sent. Text uploads including blog entries, forum messages and emails sent from web-based services such as MSN Hotmail, Yahoo! mail and Google's Gmail are intercepted as they are sent, and a message with a link posing as an interesting video file are appended. The links, of course, lead to copies the of malware hoping for a new victim.
Responsible for the additions to mail and postings is a trojan downloaded as part of an infection by the 'Storm' series of trojans (aka Peacomm, BAI, Dorf, Small etc.). More detailed information can by found in a blog entry from Symantec's Eric Chien, here.
'Security firms regularly warn users about attachments and links sent by unknown sources,' said John Hawes, Technical Consultant at Virus Bulletin. 'Malware writers love finding ways around this, so users should be wary of executable content whatever the source, and should ensure they are running good quality, up-to-date security software to keep themselves safe from these nasties.'