Blogspot Blogs Help Spread Storm Worm Attacks

In an attack that showcases what cyber criminals have in store for Web 2.0 next year, the individual or group behind the Storm worm is distributing new versions of the malware with the help of hijacked and newly-created Google Blogspot blogs.

The Storm worm, one of 2007's most prolific e-mail-borne Trojan horse programs, has always come wrapped in holiday-themed messages or disguised as videos from some recent high-profile news event. The latest Storm versions -- predictably spammed out as Christmas and New Year's greeting cards - don't break with that tradition. It urging recipients to click on a link that then tries to install the Trojan through hook (unpatched Web browser vulnerabilities) or by crook (tricking the user into believing he or she needs to install some "video codec" to view the holiday message).

The twist with the new attacks is that someone has apparently planted the malicious Storm download links on hundreds of Google Blogspot pages (hat tip here to Steven Adair of the Shadowserver.org crew). A Google search for Blogspot blogs that contain links to the malicious Web sites -- "uhavepostcard.com" and "happycards2008.com" (do NOT visit these sites)-- shows plenty of Blogspot blogs that appear to be hosting links to the Storm download sites.

The image on the right shows a link to one of the Storm download sites embedded in a Blogspot blog called "Women's Writes Movement."

At least two of the Blogspot blogs turned up in that search belong to security experts who have been chronicling these latest Storm tactics (incidentally, both trace the source of the malware back to the infamous Russian Business Network).

Why bother with linking to the Storm download sites on Google blogs?

According to the curator of RBNExploit, the Storm worm author(s) can use the tainted Blogspot blogs as yet another way to redirect traffic to Storm download sites. The fake Blogspot links also may prove useful in helping the bad guys evade anti-spam defenses. Whatever the reason, if the Storm worm author(s) deem the use of Blogspot blogs to have helped their campaign, we will likely see more of this tactic in 2008.

Security Fix recently was made aware of another, unrelated way that criminals are using Blogspot blogs to redirect traffic toward malicious sites. Clicking on links anywhere on this Blogspot site -- which appears to be a strange mock-up of a Bank of America phishing e-mail - takes you to a nicely-done Bank of America phishing site that is still active as of this writing.

This particular phishing site uses what's known as a man-in-the-middle attack, so when you pass your logon credentials to the phishing site, it will actually log you in at the real Bank of America Web site while stealing your credentials.



Truth always rests with the minority, and the minority is always stronger than the majority, because the minority is generally formed by those who really have an opinion, while the strength of a majority is illusory, formed by the gangs who have no opinion—and who, therefore, in the next instant (when it is evident that the minority is the stronger) assume its opinion ... while Truth again reverts to a new minority.

Soren Kierkegaard (1813-1855), The Diary of Soren Kierkegaard, pt. 5, sct. 3, no. 128 (1850), ed. Peter Rohde (1960)

enhanced interrogation


On the lookout for hypocrisy