is back, reports security firm Arbor Networks, and dressed to kill in its April Fools’ outfit.
Arbor Networks blogger Jose Nazario notes that Storm's latest variant began appearing sometime during March 31, greeting users with a simple “Doh!
April’s Fool. (sic)” message that hyperlinks to an IP address.
Users clicking the link are taken to a web page with a cute
picture and an automatic download, prompting them to run the download as soon
as it completes. If the user follows these directions, he or she will find his or her computer added to the decentralized Storm botnet, which security
analysts think contains anywhere from 20,000 to 10 million computers.
April Fools’ Day is only the latest such occasion to be
exploited by Storm, which in the past has sent out e-mail
messages with headlines like, “Saddam Hussein alive!” and “Fidel Castro dead.”
The original Storm variant earned
it namesake in January 2007, when it infected thousands of computers in the
United States and Europe with the headline “230 dead as storm batters Europe.” Six
more waves appeared within three days of the worm’s initial attack, and by
January 22 the Storm Worm was responsible
for 8% of virus infections around the world.
The worm’s author is still unknown, and its decentralized
structure leaves investigators little to target, let alone quantify: an October
2007 estimate that the Storm botnet is down to 20,000 computers was disputed by
security researcher Bruce Schneier, who noted that the botnet’s owner is
partitioning the network into discrete units, likely for their independent
Nazario warns users to look out for the following signs of