New Storm Worm Variant Spreading
FYI...
New Storm Worm Variant Spreading
- http://www.us-cert.gov/current/#new_...riant_spreads2
June 19, 2008 - " US-CERT has received reports of new Storm Worm related activity. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that when opened may run the executable file "beijing.exe" to infect the user's system with malicious code. Subject lines can change at any time, but the following subject lines are noted as being used:
* The most powerful quake hits China
* Countless victims of earthquake in China
* Death toll in China is growing
* Recent earthquake in china took a heavy toll
* Recent china earthquake kills million
* China is paralyzed by new earthquake
* Death toll in China exceeds 1000000
* A new powerful disaster in China
* A new deadly catastrophe in China
* 2008 Olympic Games are under the threat
* China's most deadly earthquake ..."
- http://www.f-secure.com/weblog/archives/00001457.html
June 19, 2008
(Screenshots available at the F-secure URL above.)
- http://www.sophos.com/security/blog/2008/06/1500.html
19 June 2008 - "...the .cn domains linked by the spam messages are likely part of a botnet. Each query to the nameservers for these domains returns a different IP address, indicating fast-flux behavior. The domains also serve webpages using the same web server seen in a number of botnet campaigns..."
:fear::spider:
Storm - Fast Flux and New Domains
FYI...
Fast Flux and New Domains for Storm
- http://asert.arbornetworks.com/2008/...ins-for-storm/
June 28, 2008 - "...some of our ATLAS fast flux data*... Storm Worm has begun using new fast flux domains... Storm has changed its tactics constantly in the past year and a half, and this “love theme” is nothing new. We’ll see how long this theme lasts.
UPDATE 1 July 2008 - Here’s a full list of domains:
superlovelyric.com NS ns.verynicebank.com
bestlovelyric.com NS ns.verynicebank.com
makingloveworld.com NS ns.verynicebank.com
wholoveguide.com NS ns.verynicebank.com
gonelovelife.com NS ns.verynicebank.com
loveisknowlege.com NS ns.verynicebank.com
lovekingonline.com NS ns.verynicebank.com
lovemarkonline.com NS ns.verynicebank.com
makingadore.com NS ns.verynicebank.com
greatadore.com NS ns.verynicebank.com
loveoursite.com NS ns.verynicebank.com
musiconelove.com NS ns.verynicebank.com
knowholove.com NS ns.verynicebank.com
whoisknowlove.com NS ns.verynicebank.com
theplaylove.com NS ns.verynicebank.com
wantcherish.com NS ns.verynicebank.com
verynicebank.com NS ns.verynicebank.com
shelovehimtoo.com NS ns.verynicebank.com
makeloveforever.com NS ns.verynicebank.com
wholovedirect.com NS ns.verynicebank.com
grupogaleria.cn NS ns.verynicebank.com
activeware.cn NS ns.verynicebank.com
nationwide2u.cn NS ns.verynicebank.com ..."
* http://atlas.arbor.net/summary/fastflux
"Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware..."
Also see "Top Storm Domains":
- http://www.trustedsource.org/en/threats/storm_tracker
:fear::spider::sad:
Storm botnet ...Fireworks
FYI...
Storm Botnet ...Fireworks
- http://isc.sans.org/diary.html?storyid=4669
Last Updated: 2008-07-04 02:57:16 UTC - "I read about MX Logic's prediction this morning ( http://preview.tinyurl.com/5hlcxb ) that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure. This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started. There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe. Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here:
http://garwarner.blogspot.com/2008/0...on-on-4th.html
I'm sure that the list will continue to grow. I'd recommend that you play it safe by blocking all attempts to download fireworks.exe at your perimeter..."
- http://securitylabs.websense.com/con...erts/3131.aspx
07.04.2008 (Screenshots...)
:fear:
New Storm Worm Variant Spreading - July 9, 2008
FYI...
New Storm Worm Variant Spreading
- http://www.us-cert.gov/current/#new_...ient_spreading
July 9, 2008 - "US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East. This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user's system with malicious code.
* A video that, when opened, may run the executable file "iran_occupation.exe."
* A banner add that, when clicked, may run the executable file "form.exe."
* A hidden iframe linked to "ind.php."
Reports, including a posting by Sophos**, indicate that the following subject lines are being used. Please note that subject lines can change at any time..."
** http://www.sophos.com/security/blog/2008/07/1569.html
9 July 2008
- http://ddanchev.blogspot.com/2008/07...n-of-iran.html
July 09, 2008
Fake news on World War III
- http://securitylabs.websense.com/con...erts/3132.aspx
07.09.2008 (Screenshots...)
//