Friday, August 31, 2007

Blogger and the "Storm Worm" virus

Michael has posted a link to a BBC article that describes how Google's Blogger site is being used by malicious hackers who are posting fake entries to some blogs.

Below is the advise given by Blogger. In short - beware of using the "Next Blog" feature in the search bar on the top of the page.

From Blogger
"The Storm Worm is a popular name used for a family of malware, properly classified as a Trojan, which has been plaguing the Internet for several months. It started with the widely circulated spam, about the Storms in Europe, which hit everybody's Inboxes earlier this year.

The spam email started out distributing the worm in attachments to the email, and later changed to delivering it from web sites linked in the spam. Symantec: New Storm Front Moving In tells us that the typical email would contain a link to a "secure" web site, and the linked web site would contain the instruction

Now, it is being distributed through Blogger, from blogs marketed to those surfing the Blogosphere through the "Next Blog" link.

It can be seen in a Blog*Spot splog farm, with blogs using intriguing titles like "Dying To Live", "Katrina Thanks", and "Rocking Consumption", and posts with titles like "this video rocks" and "not yet seen on MTV". The blog posts then link to a web site which will instruct you to download and execute "video.exe".

Alex Eckelberry of Sunbelt Software says, "This worm is vicious and nasty, and the spams are quite ubiquitous" and offers a blog post illustrating a typical Blog*Spot infection. Symantec Software describes the email problem as one of the largest identified surges in the last several months.

(Note): If you go "Next Blog" surfing, watch out for posts like what's illustrated in SunbeltBlog: Storm worm hits Blogger. Any blog, that you encounter through "Next Blog", suggesting a new video that requires you to download and execute any installation program, should be immediately suspect. Ditto any similar email.

We are currently trying to determine the exact nature of the blog posts offering the worm, and whether they are New blogs, created specifically for the purpose of distributing the worm, by the bad guys, Existing blogs, hijacked by the bad guys, stolen from the legit owner,
Existing blogs, with posts added by the worm, from a hacked computer used by the legit blog owner. The reality here affects how safe you are, from blogs published by your friends, and from blogs published by strangers. And it affects how safe your blogs are, should you surf "Next Blog".

Also worth asking is the question
Is the worm spreading through Blogger, or Blog*Spot? Remember, Blogger is not the same as Blog*Spot.

As Avert Labs advises
McAfee Avert Labs expects the spammers to continue using these types of tactics and it will be imperative that users are educated on how to avoid becoming a victim. "
__________________________________________________________________

Hope this helps!