Page 1 of 8 12345 ... LastLast
Results 1 to 10 of 75

Thread: Another "Storm" Wave ...

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Another "Storm" Wave ...

    Follow up post/thread from http://forums.spybot.info/showthread...9490#post99490 ...

    - http://isc.sans.org/diary.html?storyid=3063
    Last Updated: 2007-06-28 23:33:56 UTC...

    - http://preview.tinyurl.com/2g58ud
    June 28, 2007 (Computerworld)...

    - http://www.us-cert.gov/current/#new_...ariant_spreads
    June 29, 2007

    --------------------------------------

    - http://asert.arbornetworks.com/2007/...tcard-malware/
    June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."

    (*Diagram shown at the URL above.)


    Last edited by AplusWebMaster; 2007-07-01 at 02:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    "...Variations:

    Other subject lines used with this message include the following:

    You've received a greeting card from a school-mate!
    You've received a greeting ecard from a class mate!
    You've received a greeting ecard from a neighbour!
    You've received a greeting postcard from a partner!
    You've received a greeting postcard from a worshipper!
    You've received a postcard from a family member!
    You've received a postcard from a neighbour!
    You've received a postcard from a worshipper!
    You've received an ecard from a colleague! ..."

    - http://www.snopes.com/computer/virus/postcard.asp
    Last updated: 1 July 2007

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    Again:

    Storm worm with 4th of July subject lines
    - http://isc.sans.org/diary.html?storyid=3090
    Last Updated: 2007-07-03 19:48:30 UTC ...(Version: 2) ~ "We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far...

    Celebrate Your Independence
    Independence Day At The Park
    Fourth of July Party
    American Pride, On The 4th
    God Bless America
    Happy B-Day USA
    July 4th Family Day
    Your Nations Birthday
    July 4th B-B-Q Party
    Happy 4th July
    4th Of July Celebration
    Fireworks on the 4th ."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    More:

    - http://www.f-secure.com/weblog/archi....html#00001224
    July 4, 2007 ~ "...Using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link... They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them... What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded..."

    (Screenshots available at the URL above.)


    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    The ever morphing Storm
    - http://isc.sans.org/diary.html?storyid=3117
    Last Updated: 2007-07-09 03:01:00 UTC - "Readers has been reporting emails with subjects such as:
    * Spyware Detected!
    * Malware Alert!
    * Virus Detected!
    The Storm virus from the last week or so (greeting cards) has morphed into this new version. Nothing new, the texts has changed somewhat and the subject line is different. By en large it is still the same attempt to get people to download an exe file. Auscert* has put out an alert on this as there have been an increase of these messages in the region.
    As per usual discourage users from blindly clicking links in emails. Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home. Blocking downloads of exe files is also a good start..."

    * http://www.auscert.org.au/render.html?it=7813

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    More...

    Fake alert emails
    - http://www.f-secure.com/weblog/archi....html#00001226
    July 9, 2007 - "The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious. Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as Packed.Win32.Tibs.ab."
    (Screenshot available at the URL above.)

    New fake patch malicious code run
    - http://www.websense.com/securitylabs...hp?AlertID=786
    July 09, 2007

    .
    Last edited by AplusWebMaster; 2007-07-09 at 18:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down

    FYI...

    - http://www.informationweek.com/share...leID=201200849
    July 24, 2007 - "The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they've seen in two years. "We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level." Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails -- 99% of them associated with the Storm worm..."
    > http://www.postini.com/stats/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SPAM e-mails - bsaver.zip / funny.zip

    FYI...

    - http://www.f-secure.com/weblog/archi....html#00001236
    July 27, 2007 - "On Wednesday* we blogged about major seeding of Trojan-Downloader.Win32.Agent.brk. This is now happening again... This time the e-mail attachment is named as bsaver.zip. E-mail subjects have also been revised. Below is a list of some examples we have witnessed so far:
    Sunrise in your life
    Life will be better
    Good summer
    Do it for pleasure
    Life is good
    Wanna be slim?
    Good summer, dude
    Two Telephone Calls And An Air
    Be like me!
    To be slim
    Paradice in bed
    The file is currently detected as Trojan-Downloader:W32/Agent.EXJ ..."

    * http://www.f-secure.com/weblog/archi....html#00001234

    (Screenshots available at the URL's above.)


    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry

    FYI...

    - http://www.informationweek.com/share...leID=201202711
    Aug 2, 2007 - "As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it. Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm... Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Former Microsoft MVP (RIP) siljaline's Avatar
    Join Date
    Oct 2005
    Location
    Montréal, Canada
    Posts
    50

    Default

    Thanks for the invaluable info, Jack

    Silj

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •