Jan 3, 2011 14:55 GMT  ·  By

While analyzing a recent spam campaign, security researchers found what seems to be a new version of the Storm or Waledac botnets.

Storm was one of the first and most successful botnets of all times. At its peak, in 2007, it was composed of millions of infected computers and could take entire countries off the Internet.

Microsoft scored a major hit against Storm after adding detection for it to its monthly Malicious Software Removal Tool (MSRT).

The botnet slowly faded away to be replaced by Waledac, a trojan that displays much of the same functionality and particularities. This is why Waledac is considered by some as Storm version 2.

According to the Shadowserver Foundation, a volunteer organization that tracls and fights botnets, a recent junk email campaign distributed links that led to a new Waledac or Storm variant.

The emails come with a subject announcing a holiday e-card, while their body message direct users to links to view the alleged greeting.

These links lead to HTML pages hosted on compromised websites, which in turn execute a meta redirect towards one of multiple domain names controlled by the attackers.

The domains are using fast flux hosting, meaning that they respond to multiple IP addresses and are hard to shut down.

The landing pages on these domains display a message reading "Can't view the greeting? Download Flash Player!"

If the visitor doesn't click on the link to download the alleged Flash Player installer within five seconds they are redirected to a secondary page which serves several exploits for outdated software installed on their computer.

If they do click on the link, a file called install_flash_player.exe is downloaded. If executed, this file opens an Internet Explorer connection to the same exploit page. In both scenarios successful exploitation download the new Storm variant.

"We have not done any analysis to see if there are actually any pieces of the code that were directly taken or updated from the Storm Worm or Waledac code. However, whether or not the code is the same [...], this appears to be the next generation of Storm Worm and Waledac," Steven Adair of the Shadowserver Foundation writes.