Page 2 of 8 FirstFirst 123456 ... LastLast
Results 11 to 20 of 75

Thread: Another "Storm" Wave ...

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.informationweek.com/share...leID=201311245
    Aug. 9, 2007 - "...Researchers at SecureWorks discovered late Wednesday that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages... Jackson said he spotted two malicious Web sites that have the Storm attack malware embedded in them. One site was set up specifically for malicious purposes, while the second is a legitimate site that attackers hacked into and infected. The legitimate site is a community forum for fans of Apple's Mac computers. Oddly enough, the malware doesn't affect the Mac - only Microsoft's Windows platform, and specifically the Internet Explorer browser..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.websense.com/securitylabs...hp?AlertID=792
    August 14, 2007 - "...new Storm Trojan tactics being used within emails. The new emails are using the Subject: "Greeting Card Victim" and contain the following:
    > Email Body:
    Class-mate(enter name) has created Greeting card for you victim at christianet.com. To see your custom Greeting card, simply click on the following link: http:// <stripped>
    Send a FREE greeting card from christianet.com whenever you want by visiting us at: This service is provided and hosted by christianet.com.
    > End of Email Body
    Just like previous attacks, the URLs point to a compromised machine that is hosting the BOT -and- an HTTP proxy. The same exploit code attempts to run the file without user intervention; however, the file name has changed to msdataaccess.exe..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.f-secure.com/weblog/archi....html#00001253
    August 18, 2007 - "Last Wednesday we blogged* about the changing tactics being used by the Zhelatin / Storm Worm gang and their "eCard for you" -themed malware spam. The tactics are changing again. The malicious websites haven't changed; they still spread malicious msdataaccess.exe files. However, the emails no longer talk about ecards..."

    * http://www.f-secure.com/weblog/archi....html#00001249


    (Screenshots available at both URLs above.)


    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    New filename for Storm Trojan/Bot
    - http://www.websense.com/securitylabs...php?BlogID=140
    Aug 20 2007 - "The Storm Trojan / Bot continues to spread like wildfire. The latest version has a variety of subjects and email bodies but now uses the filename applet.exe.
    > Email copy sample:
    Greetings,
    Here is your membership info for Downloader Heaven.
    Member Number: 2259948423
    Temorary Login: user6278
    Temp Password ID: gr272
    Please Change your login and change your Login Information.
    Follow this link, or paste it in your browser: http: //...
    Welcome,
    Technical Services
    Downloader Heaven..."

    - http://isc.sans.org/diary.html?storyid=3298
    Last Updated: 2007-08-21 ...(Version: 3) - "Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
    > Subject: Login Information
    'Dear Member,
    Are you ready to have fun at CoolPics.
    Account Number: 73422529174753
    Your Temp. Login ID: user3559
    Temorary Password: jz438
    Please Change your login and change your Login Information.
    This link will allow you to securely change your login info: http: //...
    Thank You,
    New Member Technical Support
    CoolPics...'
    I have seen about a dozen different ones so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download. In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links). My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    Malicious Website/Code: Storm adds YouTube lures
    - http://www.websense.com/securitylabs...hp?AlertID=799
    August 25, 2007 - "The Storm Trojan / Bot continues to spread and is now using a YouTube video to lure users. The latest version has a variety of subjects and email bodies but now uses the filename video.exe.
    Email subject example: Sheesh man what are you thinkin.
    Upon connecting to the URL, which is referenced as a YouTube link but is actually a Storm IP, the same exploit code used in past attacks attempts to run. As in the past if users are not vulnerable they will get a page displayed that requests they run the code manually..."

    (Screenshot available at the URL above.)

    - http://www.websense.com/securitylabs...php?BlogID=141
    "...Conclusion: The Storm attack is something we can expect more of in the future. It is an organized, sophisticated, well planned out and resilient attack that has infected millions of machines around the world. The techniques use a combination of attack vectors including; DNS, Web, P2P, encryption, and several evasion techniques. This not only highlights the need for deploying sophisticated counter measures to mitigate your companies risks, but also shows the need for more collaborative efforts across borders with law enforcement, ISPís, and other folks moving forward."

    Also see: http://isc.sans.org/diary.html?storyid=3321
    Last Updated: 2007-08-25 21:00:55 UTC ...(Version: 2)

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.theregister.com/2007/08/2..._hits_blogger/
    29 August 2007 - "...By now, anyone who doesn't live under a rock is familiar with the spam messages bearing subjects such as "Dude what if your wife finds this" and "Sheesh man what are you thinkin" and including a link to a supposed YouTube video. Recipients foolish enough to click on the link are taken to an infected computer that tries to make their machine part of a botnet. Now Storm Worm, the malware responsible for those messages, has overrun Google-owned Blogger. According to one search, some 424 Blogger sites have been infected..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    More Peacomm Tactic Changes
    - http://atlas.arbor.net/briefs/index#-24164615
    Severity: Elevated Severity
    Published: Thursday, August 30, 2007 10:36
    "This week has seen additional Peacomm malware lure changes. Emails have now been appearing that encourage users to view YouTube videos, download beta software, and to try out new software. All of these are methods that the Peacomm authors are using to attract new victims. At last count we have seen some estimates between 1 million and 10 million or more infected computers. This is a staggering number of infected machines and we are working with others to combat this problem.
    Analysis: We have been monitoring the changes in the lure tactics of the Peacomm worm, and have seen them change more frequently as of late. We are not certain what the next change will be, but we anticipate it will happen soon."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.f-secure.com/weblog/archi....html#00001272
    September 6, 2007 - "A new round of storm worm attacks are playing on people's paranoia against being watched online. This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake... Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL. Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet."

    (Screenshot available at the URL above.)

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    Stormworm Tactics Change to Football Fungus
    - http://www.disog.org/
    September 08, 2007 - "...Starting about 13:50 GMT ...noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:
    2007-09-08 13:49 (GMT): 12.216.204.171
    2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
    2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
    2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
    2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
    2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
    2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
    2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
    2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
    2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
    2007-09-08 15:44 (GMT) - NOW: 127.0.0.1
    Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering... Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages."

    (Screenshot available at the URL above.)

    Per: http://isc.sans.org/diary.html?storyid=3361
    ----------------------------------------------------

    Also: http://www.f-secure.com/weblog/archi....html#00001273
    September 9, 2007 - "...To become infected you have to click on one of the links or on the picture (they all point to the same file – tracker.exe) and run the file. Still, this can change at any moment so don't click on any links you receive in these e-mails."

    (More screenshots available at the the F-secure URL above.)

    .
    Last edited by AplusWebMaster; 2007-09-10 at 16:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.f-secure.com/weblog/archi....html#00001277
    September 16, 2007 - "The latest tactic from Storm Worm: e-mails with links to a fake gaming site... All the links from these pages point to ArcadeWorld.exe Ė detected by us now as Zhelatin.JP."

    (Screenshot available at the URL above.)


    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •