The group behind last week's massive Storm Trojan spam blast set up Windows users with a one-two punch by switching tactics in midrun, making the second stage's subject headings more believable, researchers said Monday.
"There was a very distinct transition point" between the two stages, said Adam Swidler, senior manager of solutions marketing at Postini Inc. "It was a concerted effort to trick users."
The huge wave of worm-infected spam e-mails sent out starting early Thursday had receded by about 2 a.m. Pacific Time Friday. "It petered out around then, and spam went back to its average daily and hourly rates," said Swidler. "We're still crunching the numbers, but it looks like three times that of the largest in the last 12 months, around 60 million [messages] total."
Although most of the attention was paid to the attack's second phase -- when spammed messages arrived with subject headings such as "Worm Alert!" and "Virus Activity Detected!" -- the assault began with less alarming mail marked "Our Love Nest," "A Token of My Love" and other romantic phrases.
The switch, speculated Swidler, was by design. "The first part was more love-related and created the illusion of a worm attack going on," he said. "They were able to control the mutation and do the switch so that there was a clear point where there were almost none of the 'love' messages. That played to the second phase."
In fact, love-labelled spam carrying variants of the Storm Trojan -- which first appeared in January and got its nickname from subject heads touting news of damaging winter storms in Europe -- was spotted by some security vendors last Wednesday. Trend Micro Inc.'s malware blog noted a round of love-related spam hitting Japanese in-boxes a day before the attack's second stage started.
Last week, Swidler called the two-part attack a "self-fulfilling prophecy" because of the attacker's skill at setting up recipients for the second stage, which played off fears of an actual infection to dupe users into running the attached executable file.
When the malware executes, it installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds the infected machine to a botnet of compromised computers. Storm Trojan can also self-propagate by rooting out e-mail addresses from the PC and sending copies of itself to those people.
However, the newly-infected PCs are staying quiet -- for the moment, said Swidler. "They haven't immediately launched an attack off these new bots," he said. "It looks like they're building out their inventory [of bots]." That, though, bodes ill for the future. "It's reasonable to assume that with these new bots, spam [volume] will only continue to climb," said Swidler.