The Trojan horse, named "Storm worm" by antivirus vendor F-Secure, first started to spread on Friday as extreme storms engulfed Europe. The e-mail claimed to include breaking news about the weather, in an attempt to get people to download an executable file.
Over the weekend there were six subsequent waves of the attack, with each e-mail attempting to lure users into downloading an executable by promising a topical news story. There were e-mails that purported to carry news of an as-yet-unconfirmed missile test by the Chinese against one of its weather satellites, and e-mails reporting that Fidel Castro had died.
Each new wave of e-mails carried different versions of the Trojan horse, according to F-Secure. Each version also contained the capability to be updated, in an attempt to stay ahead of antivirus vendors.
"When they first came out, these files were pretty much undetectable by most antivirus programs," said Mikko Hypponen, director of antivirus research at F-Secure. "The bad guys are putting a lot of effort into it--they were putting out updates hour after hour."
As most businesses tend to strip executable files out of e-mails they receive, Hypponen said he expected that companies would not be overly affected by the attacks.
However, F-Secure said that hundreds of thousands of home computers could have been affected across the globe.
Once a user downloads the executable file, the code opens a backdoor in the machine which that it to be remotely controlled, while installing a rootkit that hides the malicious program. The compromised machine becomes a zombie in a network called a botnet. Most botnets are currently controlled through a central server, which--if found--can be taken down to destroy the botnet. However, this particular Trojan horse seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control.
Each compromised machine connects to a list of a subset of the entire botnet--around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet--each has only a subset, making it difficult to gauge the true extent of the zombie network.
This is not the first botnet to use these techniques. However, Hypponen called this type of botnet "a worrying development."
Antivirus vendor Sophos called Storm worm the "first big attack of 2007," with code being spammed out from hundreds of countries. Graham Cluley, senior technology consultant for Sophos, said the company expected more attacks over the coming days, and that the botnet would most likely be hired out for spamming, adware propagation, or be sold to extortionists to launch distributed denial-of-service attacks.
The recent trend has been toward highly targeted attacks on individual institutions. Mail services vendor MessageLabs said that this current malicious campaign was "very aggressive," and said that the gang responsible was probably a new entrant to the scene, hoping to make its mark.
None of the anti-malware companies interviewed said they knew who was responsible for the attacks, or where they had been launched from.
Tom Espiner of ZDNet UK reported from London.
