Another "Storm" Wave ...

[AplusWebMaster]

FYI...

New Storm tactic: Medical spam sites
- http://www.websense.com/securitylabs...php?BlogID=170
Jan 29 2008 - "...Storm worm has changed spamming tactics. Spam sent by infected hosts contain links of the format:
http ://(IP address)/(short random directory name)
These links redirect users to medical spam sites, but the links are still infected at the root level (e.g. http ://IP address/). The redirects help these medical spam sites attempt to evade spam filters..."

- http://blog.trendmicro.com/storm-now...-bad-medicine/
January 31, 2008

(Screenshot available at both URLs above.)

[AplusWebMaster]

FYI...

- http://www.marshal.com/pages/newsite...hesection=news
31 January 2008 – "...Storm is one of five botnets that we have been monitoring that we believe are responsible for approximately 75 per cent of all spam in circulation. One particular botnet which heavily promotes a certain brand of male enhancement pills accounts for nearly 30 per cent. This one bot has already exceeded Storm’s records and it has done it quietly without attracting too much attention. This might signal a new strategy by some of the spam crews to try and draw less attention to themselves through high profile email campaigns... It is also possible that the individuals behind the Storm botnet are responsible for one or more of these new botnets. These people are smart and one lesson they may have learned from Storm is to stay under the radar if they want to remain successful. There is a lot of crossover with the products being promoted by all five of these botnets. This could indicate some sort of connection between them...”

- http://preview.tinyurl.com/2zlwao
February 4, 2008 (Computerworld) - "...Mega-D has borrowed a few tricks from Storm, such as operating in Asian countries typified by high broadband penetration and poor use of anti-virus, using Trojans to dodge signature-based removal techniques and proliferating over peer-to-peer networks... Mega-D has targeted Facebook users with a fake invites that downloads the Trojan using a phony Flash Player update. More than 70 percent of global spam is sent from botnets Mega-D, Pushdo, HTML, One Word Sub and Storm..."

- http://www.marshal.com/trace/traceitem.asp?article=510
February 4, 2008

[AplusWebMaster]

Eye on the botnets...

- http://www.darkreading.com/document....919&print=true
FEBRUARY 4, 2008 - "A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs. The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year... The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP)... Damballa is not sure why AV engines aren't detecting MayDay's malware... The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware...
As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal...
So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike. Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says."

- http://asert.arbornetworks.com/2008/...bot-follow-up/
February 5, 2008 - Mega-D Spambot Follow-up

- http://asert.arbornetworks.com/2008/...ojan-analysis/
February 11, 2008 - "Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D. It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here*, as well as some detailed bits on behaviors of the Trojan itself..."
* http://www.secureworks.com/research/.../?threat=ozdok
February 11, 2008

[AplusWebMaster]

FYI...

Storm Worm's Family Tree
- http://blog.washingtonpost.com/secur...ly_tree_1.html
February 7, 2008
(Detailed study on the history of "Storm", 'way too many links to post here. Good job Brian!)

[AplusWebMaster]

FYI...

Storm Worm Valentine's Day Update
- http://www.shadowserver.org/wiki/pmw...endar.20080210
February 10, 2008 - "...Storm Worm has once again undergone another change as Valentine's Day is approaching. Fresh with 8 different rotating Valentine's Day images and a new executable named valentine.exe (may sound familiar), the Storm Worm may be gearing up for a new round of assaults on inboxes. It would appear that the domains are no longer serving up wildcard .gif files related to their stock spams. Instead we have eight .gif images ranging from 1.gif on up to 8.gif. After a few moments you'll be prompted to download the binary... a peak at the 8 images..."

- http://blog.trendmicro.com/storm-sure-loves-everybody/
February 11, 2008 - "...The spammed email messages are just plain text, but these contain links that lead to malicious Web sites displaying one of eight cute Valentine images..."

(Screenshots available at the URL's above.)

[AplusWebMaster]

FYI...

Stormworms spammy love notes
- http://isc.sans.org/diary.html?storyid=3979
Last Updated: 2008-02-12 22:42:30 UTC - "We received several reports of spam containing Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is changing rapidly so AV detection based on MD5 or other hash values is not reliable. We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm... Jose Nazario of Arbornetworks has some additional about this at:
http://asert.arbornetworks.com/2008/...-day-campaign/ ..."
"...Poor AV detection (via VirusTotal), but humans can spot this a mile away."

[AplusWebMaster]

FYI...

Botnet wars?
- http://blog.trendmicro.com/rtkt_push...otkit-remover/
February 27, 2008 - "A malware removes rootkits? There has to be a catch here. Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components..."

[AplusWebMaster]

FYI...

Storm Reactivating
- http://www.f-secure.com/weblog/archives/00001392.html
March 3, 2008 - " We haven't seen new Storm sites since the spam run they did over Valentine's Day… until early this morning. Right now they are sending a wide variety of mails regarding ecards... Depending on what you do, you end up with either e-card.exe (clicking the picture), e-card.exe (clicking the link) or postcard.exe (waiting for a few seconds). The files are variable but they always do the same thing: infect your system with the latest Storm/Zhelatin variant..."
(Screenshots available at the F-secure URL above.)

- http://isc.sans.org/diary.html?storyid=4054
Last Updated: 2008-03-03 08:18:58 UTC - "...Well, Storm is back, and back to generic e-Card spam... some Subjects and Contents to watch for:

Subject:
Your ecard joke is waiting
You have an ecard
We have a ecard surprise
Someone Just sent you an ecard
Did you open your ecard yet
ecard waiting for you
Open your ecard
new ecard waiting
Now this is funny
online greeting waiting
sent you an ecard

Body:
laughing Funny Card
You have been sent a Funny Postcard
You have been sent the Funny Ecard
original Funny Card
Someone Sent you this Funny Ecard
your funny postcard
original Funny Postcard
sent a Funny Postcard
personal funny postcard
FunnyPostcard
laughing funny postcard

Watch your inbox, and lets hope the AV vendors jump on this quickly."

[AplusWebMaster]

FYI...

- http://www.f-secure.com/weblog/archives/00001410.html
March 31, 2008 19:45 GMT - " A wave of April Fool's Day related Storm (e)mails have just been sent out. Similar as the other times with a link that points to an IP address... if you receive one of these emails, don't click on the link."
(Screenshots available at the URL above.)

- http://isc.sans.org/diary.html?storyid=4222
Last Updated: 2008-03-31 21:00:07 UTC - "...Again a various list of subjects come with this release:
All Fools' Day
Doh! All's Fool.
Doh! April's Fool.
Gotcha!
Gotcha! All Fool!
Gotcha! April Fool!
Happy All Fool's Day.
Happy All Fools Day!
Happy All Fools!
Happy April Fool's Day.
Happy April Fools Day!
Happy Fools Day!
I am a Fool for your Love
Join the Laugh-A-Lot!
Just You
One who is sportively imposed upon by others on the first day of April
Surprise!
Surprise! The joke's on you.
Today You Can Officially Act Foolish
Today's Joke!
...The download is a binary, also with varying names:
foolsday.exe
funny.exe
kickme.exe
...Virus coverage is poor with the samples we've captured, but we're working with the AV vendors to improve that..."

April Storm’s Day Campaign
- http://asert.arbornetworks.com/2008/...s-day-campaign
March 31, 2008 - "...here are the specifics for this variant:
* Peerlist: C:\WINDOWS\aromis.config
* Installs as: C:\WINDOWS\aromis.exe
* As always, listens on a random UDP port, makes a lot of outbound connections, allows itself to the firewall via “netsh firewall set” and via the registry, uses w32tm to update its clock, and so on."

[AplusWebMaster]

FYI...

- http://forums.spybot.info/showpost.p...7&postcount=22
April 7, 2008

- http://www.avertlabs.com/research/bl...loves-you-not/
April 7, 2008