Storm Worm spams its bots with stock pop-up

Their machines, normally used to power the Storm botnet to deliver spam and malware-laced messages, became a self-spamming tool, experts said. The pop-up ad, which executes upon receiving a remote command, encourages users to buy stock in a thinly traded company called Hemisphere Gold Inc.

The company, whose ticker symbol is HPGI, is traded on the Pink Sheets, an over-the-counter electronic trading system.

"Normally, when Storm is sending out these stock pitches, it's overlooking the opportunity to force all of those infected users to see the message," Joe Stewart, senior security researcher at SecureWorks, told SCMagazineUS.com today.
It appears the pump-and-dump spam campaign worked. The stock jumped from under US$1-a-share Tuesday to more than US$1.20-a-share today, a 20 percent spike, with more than 145,000 shares changing hands.

This new technique follows other attempts, such as MP3 spam, to dupe unsuspecting users into purchasing penny stocks, which are highly volatile and whose value can increase rapidly with a relatively small trading volume.

"The Storm authors seem to like trying new things every few weeks," Stewart said. "It's kind of a try-and-see-what-works kind of thing -- try and reach as many people who might be willing to invest in these stocks."

But this new approach could backfire, as users may realise their machines are infected and rid them of the malware, Josh Corman, principal security strategist at IBM ISS, told SCMagazineUS.com today.

"You could argue it's a misstep," he said.

Corman said the Storm Worm is an "instantiation of a class of botnets" that is being used in attacks such as pump-and-dump campaigns to derive profits for its authors. It communicates through decentralised peer-to-peer networks, which makes it difficult to stop.

If the Storm Worm authors find a way to monetize other uses for the botnet, users may see an influx of DDoS attacks that could paralyse some organisations. Some businesses are preparing for such an incident by reassessing their disaster recovery capabilities, Corman said.

He said he also worries about a political motive: For example, Storm could impact the websites of presidential candidates, or be used to deliver spam that may sway voter's decisions, Corman said.

"These could dramatically impact who gets the presidential nomination for their party," he said.

So far, the attackers seem content with sending out emails that either attempt to infect more machines or trick users into buying stocks, Stewart said. Based on analysis he conducted today, he said the next campaign may use Geocities webpages to host a malicious executable.

Users should also be ready for a spam run on Thanksgiving, experts said. The Storm Worm virus likes to capitalise on major holidays or news events to create messages that appear legitimate.