Storm Worm Victims Get Stock Spam Pop-Up
If you're a Windows users and today received a surprise pop-up advertisement urging you to invest in an obscure penny stock, it is highly likely that your computer is infected with the virulent Storm worm, a nasty intruder that currently resides on an estimated 200,000 PCs worldwide.
Criminal groups that control the pool of Storm-infected computers have traditionally used those systems to pump out junk e-mail ads touting thinly traded penny stocks as part of an elaborate and ongoing series of "pump-and-dump" schemes. But today, according to security researchers, the Storm worm authors went a step further by causing a pop-up ad for a particular penny stock to be shown on all infected machines.
Atlanta-based SecureWorks tracked the latest Storm activity, which began earlier this morning. The pop-up, shown in the image to the right, touts a microcap stock for Hemisphere Gold Inc. [HPGI.PK] as a "strong buy." Joe Stewart, a senior security researcher at SecureWorks who has closely tracked Storm since its inception in January, said this is the same stock that Storm-infected machines advertised in a traditional spam run that began Monday evening.
For those readers who received this pop-up, the news only gets worse: Detecting and removing a Storm infestation can be exceedingly difficult, as it is programed to regularly mutate its digital make-up. Part of Storm's sneakiness stems from the fact that it ships with what's known as a "rootkit," a set of computer instructions designed to hide the malicious files and system processes that carry out most of the worm's activities. It does this essentially by inserting those components into legitimate Windows processes and drivers -- such as "tcpip.sys," the driver that handles core Internet networking functions on Windows systems.
"By injecting itself into regular Windows processes and hijacking Windows drivers, Storm doesn't give you much to grab onto there," Stewart said. "Most people are going to have to depend on their anti-virus vendor to eventually get updated to detect whichever Storm variant is on their machine, or pay an expert to find it on their machine and remove it."
Predictably, anyone who was foolish enough to snap up shares of the Storm-touted stock -- HPGI.PK -- lost money in trading. The company's share price fell 15 cents today, from $1.15 per share to $1.00. A noticeable and uncharacteristic uptick in trading volume on this stock is evident over the past week, possibly indicating that groups allied with the Storm worm authors were taking a position in advance of this spam campaign.
I put a call into Hemisphere Gold and am awaiting a response. I'll update this post if the company issues a comment or responds to my query.
Posted by: Anonymous | November 14, 2007 8:21 AM | Report abuse
Posted by: Emilie | November 14, 2007 9:55 AM | Report abuse
Posted by: kdt | November 15, 2007 10:09 AM | Report abuse
Posted by: Marlon | November 15, 2007 2:21 PM | Report abuse
Posted by: Steve Ballmer | November 18, 2007 2:14 AM | Report abuse
Posted by: steve ballmer | November 19, 2007 8:12 AM | Report abuse
Posted by: Bill Third | November 20, 2007 12:50 PM | Report abuse
Posted by: Rick | November 26, 2007 12:30 PM | Report abuse
The comments to this entry are closed.