Amidst a period when the antivirus and computer security industry is all agog on targeted trojan attacks, trojan-downloader and spywares, comes a threat that is, on the surface, pretty much reminiscent of the mass-mailers that have plagued the cyberspace in previous years such as BAGLE, NETSKY, MYDOOM and MYTOB. Just as we thought that mass-mailers are dying down, now comes a new breed of mass-mailers known as STRATION (aka WAREZOV, STRAT).
The first variant appeared just in the latter days of the third quarter of 2006, specifically in August 16, 2006. This was given the detection name of WORM_STRATION.A. After only two months Trend Micro has received well over 150 variants, with the most recent variant that was detected last October 25, 2006 with the name of WORM_STRAT.EQ by Official Pattern Release 883.
At first, there was neither rhyme nor reason in the behavior of the STRATION worms. Yes, they exhibited features much like those used by the other previous mass-mailers, but there were differences such as the bursts of spiked attacks or continuous massive spamming in short time frames; the use of various different top-level domains that downloader components of STRATION use as infection vectors, thereby adding to the rising complexity of the implication of web threats; and of course, the ultimate motive of the mass-mailer, unlike previous worms whose only purpose was to spread to as many computer systems as much as possible.
NOTE: This is a research and investigative work in progress as the STRATION menace still continues up to this very minute…