Spammers have been taking over unsuspecting computer users' machines for years in order to send out unwanted e-mails, but recently they have been getting even more aggressive. The SANS Institute (SysAdmin, Audit, Network, Security) recently reported that a large, distributed denial-of-service (DDoS) attack has targeted several organizations that attempt to fight spam: Spamhaus, SURBL (Spam URI Realtime Blocklists), URIBL (Realtime URI Blacklist), and Rules Emporium (the host site for the open-source SpamAssassin program). As of this writing, the Rules Emporium and URIBL are still under attack and are unreachable.
The attacks are similar to last year's DDoS assault on BlueSecurity (makers of the community-based antispam tool BlueFrog) and are believed to be using the same malware to do their nasty work. The software in question is called Storm, which is a trojan distributed as an e-mail attachment. When a user opens the attachment and runs the trojan, it attempts to link up to other infected hosts via peer-to-peer networking. Once a connection is made, it downloads a series of five second-stage executables which set up an SMTP relay, an e-mail address stealer, an e-mail virus spreader, a DDoS attack tool, and finally an updated copy of the Storm Worm dropper. The master component is run from a kernel rootkit driver that embeds itself into Windows' services.exe process.