More Nuwar Woes!

The Nuwar gang are up to no good again. So far we’ve seen a dizzying flurry of malicious ecards, sexy emails, membership themes and YouTube bait over the last couple of weeks from the authors of the Storm worm. The latest spam run calls for beta testers to try out a product in exchange for life time free updates. A sample mail is as follows:

What the unsuspecting user gets in return upon downloading and executing “setup.exe” is more than what they had hoped for! – A copy of the W32/Nuwar worm.

The newest spam run uses plain text instead of HTML formatted emails and the ip addresses listed appear to be re-used across different spam runs. If one were to traverse to the root of the listed url: http://75.70.[Removed].232 we end up with a page showing a YouTube image (Nuwar’s spam theme over the weekend) requesting the user to manually download and execute “video.exe”. More alarmingly, doing a Google search for any of the subjects lines used in the Nuwar YouTube spam run is throwing up legitimate blog sites that appear to be infected with links pointing to a copy of the worm. More on this at SunBelt’s blog.

Sadly the authors of Nuwar can afford to experiment at will, because if an experiment were to fail, the worst that can happen is that one of their spam runs would not be that successful. And these spammers get instant feedback on how successful a spam run was because people continue to click on the bait links. As a result of this user feedback they continue to develop more effective social engineering techniques and improve upon their creations.

If your computer is fully patched, is running an up to date antivirus and firewall solution, it still does not stand a chance against social engineering when a user invites the threat in. Especially since malware can be tweaked and tested until they stay undetected by an antivirus product. McAfee Avert Labs expects the spammers to continue using these types of tactics and it will be imperative that users are educated on how to avoid becoming a victim.