The “Zhelatin gang”—named after the trojan it installed—was responsible for what started out as the “storm worm.” First spotted earlier this year, the spread of the “storm worm” started via e-mails purporting to provide information on some dangerous storms in Europe at the close of January.
But the Zhelatin is no longer your typical worm beastie … The worm has now been modified to use an infected users own Blog to spread itself.
It’s not just blogspam we’re talking about here, the little sucker actually writes a blog post to the victim’s blog all by it’s own bad little self, in order to lure your unsuspecting readers to an infection site. More from ARS Technica:
…the worm has now switched its focus to blogs. Unlike the typical “comment spam” that many of us have grown used to on our personal blogs, the worm is actually getting into people’s Blogspot accounts and creating new blog posts with links to the trojan.
This worm has been reported to find it’s way through multiple hardware email filters and breeze passed almost every AV engine at one time or another in it’s various iterations only to be finally stopped by the firewall (which you should have already set up on workstations and which theoretically should be the last resort). Decent firewall software packages are usually able to stop the actual infected file from performing it’s processing.
The funny part about workstation firewalls catching the worm’s rogue processing is when users inevitably click “Yes” to allow the process and also check the “Do Not Ask Again” check box.
ARS Technica estimates that there could be as many as 10 million Zhelatin gang bots out there:
Just how many computers are part of the botnet is anyone’s guess, but estimates from some security firms are reaching as high as 10 million. Just last June the FBI warned that it had discovered more than a million PCs in a botnet. This looks to be just the tip of the iceberg.
IMHO This is one of the most serious threats to the IT community in a number of years. 10 million bots can do a lot of damage in a lot of ways … in a hurry.
Check out this video showing 24 hours monitoring the initial infection:
* Graphic above from Computer Knowledge’s description of how a botnet works.
Video courtesy of F-Secure Security Labs YouTube account.