Would You Like Some Porn With Your Storm?

Since late January we have seen Storm worm variants using social engineering tactics like news stories, current events, and e-cards in an attempt to get unsuspecting victims to open attachments, click links, and get infected to become the latest addition to the Storm Worm bot army.

The latest and greatest social engineering tactic that we started seeing on Saturday has now started using porn. This tactic, as with the e-card tactic, is using a pull based method of infection where the malware content is not "pushed" to the user via an attachment, rather the email sent contains a link where when clicked by the user causes them to "pull" it down.

The messages that we have been seeing with this new variant include the following either in the subject line or message body (this is only a partial list): "I need someone to please me. Check out my pictures", "Want me to show you what my room mate and I do when we get lonely at night", and "Taking these pictures made me so hot. I bet they will make you hot too" (I'll bet this post gets caught by a few spam filters :) ). This new variant is currently accounting for about 1 in 6 virus infected messages seen by the MX Logic Threat Operations Center within the last 24 hours.

So, why the movement to "pull" based malware instead of "push" based. For one, it is more difficult for end users to submit samples of the malware. If the attachment is pushed to the end user, they have all of the information that they need at their fingertips to submit to the anti-virus vendors. Secondly, with the pull based model users may not even know that they are going to a malicious web site so that when the visit the site it may display some kind of error message saying that the site was not available (or something innocuous as to not arouse suspicion) when in the background the user's PC just got infected with malware. This model also enables the malware authors to utilize a tactic known as "Server Side Polymorphism" where the way that the malware is packed can continually change on a per download basis thus rendering traditional signature based anti-virus engines ineffective. The version of the malware that I download could have an entirely different signature than the version someone else downloads even though we may have clicked through to the site at the exact same time.

We've been seeing more examples of pull based malware over the last couple of months, mostly related to the Storm worm but the BBB scam from a couple of months ago used this method as well. Pull based infection provides much greater flexibility for the malware authors in their attempts to stay one step ahead of the anti-virus engines and is something we will continue to see not only from Storm, but from other worm authors who learn from Storm's successes in their attempts to come up with new methods to get onto our PCs.