The ongoing Storm Trojan attack that began Monday has morphed again, security researchers said Thursday, changing the malicious file’s name, shifting to new malware hosting servers, and adding a rootkit to cloak the bot code from anti-virus software.Spam messages attempting to dupe users into installing the bot-making Trojan now include links happycards2008.com or newyearcards2008.com, different URLs than in the second-wave attack that began Christmas Day. According to analysts at the SANS Institute’s Internet Storm Center (ISC) and U.K.-based Prevx Ltd., the name of the file users are asked to download has also changed from Tuesday’s “happy2008.exe.” The file being shilled today is tagged to “happynewyear.exe.”More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx and an independent security researcher named Russ McRee have posted analyses of Storm’s cloaking attempt.[Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?),” said McRee on his HolisticInfoSec Web site. “No more hanging out in the open, easily seen.” Fortunately, said Giuliani, the rootkit is relatively old, and thus detectable by at least some security software. Neither is the move by Storm’s makers to hide its components and operations from anti-virus programs a new thing: the Trojan began using rootkits months ago.Giuliani also wondered why the domains hosting the Trojan had not been taken down. “If the attack is currently known and security companies are updating their software, why are these fake domains still active?” he asked in a post to the Prevx company blog. “If servers behind [these] sites are constantly changing so that it would be impossible to shut them down, these servers are reached by four well-known domains. Why, after four days, hasn’t anyone successfully taken these domains down?” According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domain is a “Bill Gudzon” of Los Angeles, Calif., but the contact phone number gave only a constant busy signal.Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said Giuliani, has already detected more than 400 variants of the version now in circulation. By Gregg Keizer, Computerworld (US online) Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe