The ongoing Storm Trojan attack that began Monday has morphed again, security researchers said today, changing the malicious file’s name, shifting to new malware hosting servers, and adding a rootkit to cloak the bot code from anti-virus software.
Spam messages attempting to dupe users into installing the bot-making Trojan now include links happycards2008.com or newyearcards2008.com, different URLs than in the second-wave attack that began Christmas Day. According to analysts at the SANS Institute’s Internet Storm Center (ISC) and U.K.-based Prevx Ltd., the name of the file users are asked to download has also changed from Tuesday’s “happy2008.exe.” The file being shilled today is tagged to “happynewyear.exe.”
More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx and an independent security researcher named Russ McRee have posted analyses of Storm’s cloaking attempt.
Storm, Trojan, Rootkit, Spam, Spamming, Malware, Antivirus, Anti-virus