The so-called storm worm is not letting up, as the gang of cyberthieves behind the mass-spammed trojan attack created new variants over the weekend to elude anti-virus software.
"It’s been the busiest weekend we’ve had in several months or perhaps a year," Mikko Hypponen, chief research officer of Finnish anti-virus vendor F-Secure, told SCMagazine.com today. "We rarely see such large trojan spam runs anymore."
Security firm Commtouch reported today that it has tracked more than 5,000 variants of the malware, and that at its peak, the trojan was responsible for about 17 percent of email worldwide. Still, researchers said the levels of activity are nowhere near those of former worm attacks, like Mydoom and Bagel.
The large number of variants is limiting the effectiveness of anti-malware solutions, according to Commtouch.
"By distributing so many variants simultaneously, the malware distributors overwhelm signature-based anti-virus engines, effectively guaranteeing that they will not block them," said Haggai Carmon, Commtouch’s vice president of products.
The malware arrives as part of an email claming to contain a video attachment of a current news story. The attack began with subject and file names related to last Thursday’s European wind storms.
But over the weekend, headlines such as "Saddam Hussein alive!" and "Chinese missile shot down USA aircraft" publicized other bogus stories to attract a new round of victims. Hypponen said the virus-writers also included romantically themed subjects, such as "So in Love" and "A Special Kiss."
The attacks are mostly targeting home users, Hypponen said.
"Corporate networks filter .exe attachments at the gateway anyway, so why bother?" he said.
In addition, some new variants are using rootkit-like technology to prevent detection, Hypponen said.
"If it has a chance to execute, it’s going to be fairly hard to find it," he said.
The malware writers are using the attacks to build massive armies of botnets that will help launch even more spam, phishing and