Researchers: Worms not heading underground

During the past two years, security experts and software vendors have downplayed the threat of so-called worm viruses, but new evidence suggests that the attacks are still as dangerous, if not more so, than ever.

While the enormous mass-mailing worm viruses of years past -- such as the well-known MyDoom, Sobig, and Slammer attacks -- that were aimed at crippling IT infrastructure have all but disappeared, smaller outbreaks that aim to load financially-motivated malware onto end users' computers -- such as the recent Storm Worm -- will continue to menace the Internet, according to researchers.

Consensus opinion among security experts has been that as businesses and consumers improved their desktop security tools and computing habits, it became harder for malware writers to lure the same volumes of people with worms. This trend pushed the attackers away from creation of the self-propagating threats and further into financially-motivated crimeware, market watchers observed.

However, the continued spread and modification of Storm Worm, which first surfaced in mid-Jan. 2007, could illustrate an emerging breed of the attacks that is likely to trouble users in years to come.

On Feb. 27, workers at security software maker Secure Computing released details of a newly-emerging variant of Storm Worm that adds a Web-based social engineering component to the attack's more traditional e-mail and IM delivery models.

According to San Jose-based Secure, the new version of Storm Worm sits on an infected computer and waits for a user to post a message to a Webmail system or online bulletin board site, and then adds a link to those communications that sends anyone who clicks on the URL to a malware-laden Web page.

Threats that sit on the Storm-generated sites include variants of the attack itself, along with a range of crimeware programs aimed to steal sensitive personal or financial information.

Viruses like Storm, which can also be classified as a Trojan rootkit, reflect the manner in which attackers will leverage the time-honored worm platform to pass along their latest work, said Dmitri Alperovitch, principal research scientist at Secure.

"We're not discounting the threat from targeted financial attacks, but those tend to take a lot of work to pull off, as the attacker must do recon on the organization or user and put a good deal of effort into each target," Alperovitch said. "The payback on those attacks is probably greater, but these types of worms like the new variants of Storm can pay for themselves pretty quickly; there's little doubt we'll see more designed in this manner."

In addition to using the worm approach to distribute cutting-edge malware, the Storm variations have adopted a number of other characteristics typically associated with newer attacks. The threat code itself is being changed at a rapid pace to avoid detection by antivirus systems, according to the Secure researcher, and is using an ever-changing list of URLs and IP addresses to deliver its payload and fly under the radar.

The swiftly-changing profile of Storm Worm will make it hard for traditional security products to keep up with such threats, he said.