Spam-spitting Storm virus, a year old, is as tricky as ever

SAN FRANCISCO -- One of the nastiest — and most persistent — sources of spam just turned a year old.

Since it touched down in e-mail inboxes, the Storm virus has infected at least 1 million PCs worldwide and is responsible for billions of spam messages. Since July, e-mail management company Postini alone has blocked nearly 1.5 billion copies of Storm. (Before Storm hit, Postini blocked about 1 million tainted e-mail messages a day.)

And anti-spam experts expect even more rumblings during the holidays. They predict Storm — which is spread largely through virus-infected PCs — will set record volumes by the end of the year, including up to 500 million messages during the holiday season.

"There does not seem to be any let-up in sight," says Adam Swidler, a senior manager at Postini, a subsidiary of Google goog. "Storm is perfectly capable of virtually unlimited mutations."

The chameleon-like Storm surfaced in November 2006 as Nuwar, an e-mail attachment purporting to be a news story about an imminent nuclear war between the United States and Russia. What it contained was a computer virus that turned the victim's PC into a machine controlled by others, spitting out penny-stock-fraud spam.

By December 2006, the attachment morphed into a New Year's greeting, with the same malicious payload.

In January, it had a new name, Storm, and disguise: an e-card with a link to a tainted website containing a story about a deadly weather catastrophe.

None of its techniques, taken alone, have been particularly innovative. But its various mutations and morphing techniques always seem to be one step ahead of anti-virus vendors, who can't update spam filters fast enough to block new infections.

Storm's e-mail subject headers have ranged from faux stories about Russian and Chinese missile attacks to electronic love letters, the NFL, and videos from Beyoncé and Foo Fighters. All were fakes, digital teases to trick victims into clicking on tainted Web links.

In addition to employing ever-changing e-mail subject headers, Storm's purveyors in September began planting invisible infections on hobby websites and community forums, including a forum for Apple Macintosh users. Merely browsing to one of these seemingly innocuous websites infected the visitor's PC.

"It's a vivid illustration of how run-of-the-mill crooks are taking yesterday's scams and leveraging them forward using e-mail and sophisticated malicious hacking tools," says Patrick Peterson, vice president of technology at security firm IronPort Systems, a division of Cisco Systems csco.