New Stock Popup Spam

Joe Stewart, a security researcher for Secureworks, has been actively tracking the Storm Worm and its activities for quite some time now and has posted this image with a sample of the spam that users are receiving.

The scam is for stock symbol HPGI which is for a company named Hemisphere Gold. This stock was actually the target of a pump and dump email spam run which started a couple of days ago.

You can track the spam volumes sent out for this particular stock here.

You can track the ups and downs of the stock price here.

So, now you're thinking "Well, now I'll know if my PC is infected with Storm. I can just run my virus scanner and it'll be removed! What a dumb move on the part of the Storm authors!" Unfortunately, this won't work. One of the elements of Storm is that it contains a rootkit component which embeds itself into Windows drivers that handle primary operating system functions. You can't just delete these files because then you will be removing system files that Windows needs to run.

There are applications which exist that will look for and detect rootkits on your system, but it is unknown at this time whether or not those products have been updated in order to detect new Storm variants. Even if they detect this variant, Storm is very nimble and updates itself regularly. Even if it can identify and remediate one variant doesn't mean it has caught them all.

Just like 2005 was the year of the Sober worm, 2007 will be known as the year of the Storm Worm (and likely well into 2008 until something else comes along which is even more dastardly than Storm, which is a very scary concept!). This example is just another though in the theory that email is most certainly not the only threat vector anymore and that it is only a matter of time before the web passes email as a primary malware delivery vehicle.