The group behind last week's massive Storm Trojan spam blast set up Windows users with a one-two punch by switching tactics in midrun, making the second stage's subject headings more believable, according to researchers.
"There was a very distinct transition point" between the two stages, said Adam Swidler, senior manager of solutions marketing at Postini. "It was a concerted effort to trick users."
The huge wave of worm-infected spam emails sent out starting early on Thursday had receded by about 9am GMT on Friday. "It petered out around then, and spam went back to its average daily and hourly rates," said Swidler. "We're still crunching the numbers, but it looks like three times that of the largest in the last 12 months, around 60 million [messages] total."
Although most of the attention was paid to the attack's second phase - when spammed messages arrived with subject headings such as ‘Worm Alert!’ and ‘Virus Activity Detected!’ - the assault began with less alarming mail marked ‘Our Love Nest’, ‘A Token of My Love’ and other romantic phrases.
The switch, speculated Swidler, was by design. "The first part was more love-related and created the illusion of a worm attack going on," he said. "They were able to control the mutation and do the switch so that there was a clear point where there were almost none of the 'love' messages. That played to the second phase."
In fact, love-labelled spam carrying variants of the Storm Trojan - which first appeared in January and got its nickname from subject heads touting news of damaging winter storms in Europe - was spotted by some security vendors last Wednesday. Trend Micro's malware blog noted a round of love-related spam hitting Japanese inboxes a day before the attack's second stage started.
Last week, Swidler called the two-part attack a "self-fulfilling prophecy" because of the attacker's skill at setting up recipients for the second stage, which played off fears of an actual infection to dupe users into running the attached executable file.
When the malware executes, it installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds the infected machine to a botnet of compromised computers. Storm Trojan can also self-propagate by rooting out email addresses from the PC and sending copies of itself to those people.
However, the newly-infected PCs are staying quiet - for the moment, said Swidler. "They haven't immediately launched an attack off these new bots," he said. "It looks like they're building out their inventory [of bots]." That, though, bodes ill for the future. "It's reasonable to assume that with these new bots, spam [volume] will only continue to climb," said Swidler.