Storm worm variant blows against blogs and forums
The Storm worm has returned in a new guise. The worm, which managed to cause a global virus outbreak earlier in the year is now targeting users who blog or post to forums.
The new variant is propagating itself via links from blogs and forum posts directing users to a malicious website that downloads code onto a user’s machine which compromises the computer and turns it into part of a botnet.
Over the past twenty four hours, the virus has had computers post these malicious links on various websites, according to researchers at IT security company Secure Computing. Researchers warned that users should be on the lookout for links containing the text ‘Have you seen this?’ leading to a website with the words ‘fun video’ in them.
Clicking on the link will show a user a dialogue box asking them if they want to open an executable file. This file installs a rootkit on the user’s computer and then attempts to distribute itself to other computers.
The rootkit then monitors the user and when they visit a blog or forum site, it then inserts the text and malicious link into messages and blog comments the user has sent. The worm successfully propagates if other users see and click on these malicious links.
Experts said virus writers are becoming more and more sophisticated with new variations of viruses coming out everyday.
‘Given that this worm takes people who click on links in seemingly innocent blogs and bulletin boards to websites with malicious content, businesses should be strongly urged to protect themselves by blocking access to these types of websites to prevent ‘lunch time browsers’ from inadvertently downloading malicious content onto their PC,’ said Donal Casey, security consultant, Morse.
Casey said that if access to the most common blog and bulletin board websites can’t be blocked for business reasons then organisations need to use technology that can assess if a website contains malicious content and either remove the content before the page is displayed or block access to the entire website if it is detected.