Page 7 of 8 FirstFirst ... 345678 LastLast
Results 61 to 70 of 75

Thread: Another "Storm" Wave ...

  1. #61
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://blog.trendmicro.com/storm-now-on-video/
    April 8, 2008 - "...only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec. TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec... Is that blatant enough? Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ... If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it... the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006..."

    (Screenshot available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #62
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://preview.tinyurl.com/4swsc8
    May 5, 2008 (Symantec Security Response Weblog) - "No sooner had various agencies commented on the reduction of the size of the Storm network than we started seeing signs of another wave of malware in the offing. We are currently tracking some fast-flux domains related to Trojan.Peacomm (a.k.a. Storm). These domains were registered just a few days ago. Simply visiting the sites presents the user with a blank page; however, modifying the URLs to access a specific file runs a script which attempts to exploit several different vulnerabilities... The domains being tracked are not currently being linked to. This could mean that either the sites are still under development, or that the authors are planning to use a different technique to spread their creations. If the reason is the former, then a spam wave should be expected in the coming days and this upcoming Mother’s Day could be used as a lure... Only time will allow the method employed in this wave of attacks to be confirmed. This is definitely an interesting development in the story of the Storm worm. We urge users to keep their antivirus product signatures up to date. Although it is important to ensure that operating system patches are up-to-date, most of the vulnerabilities being targeted by this malware are related to third-party products*..."

    (More detail at the URL above.)

    * Test 3rd party software here: http://secunia.com/software_inspector/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #63
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

    Storm Worm new activity...
    - http://ddanchev.blogspot.com/2008/05...orms-love.html
    May 20, 2008 - "The Storm Worm malware launched yet another spam campaign promoting links to malware serving hosts, in between a SQL injection related to Storm Worm. These are Storm Worm's latest domains where the infected hosts try to phone back :
    cadeaux-avenue .cn (active)
    polkerdesign .cn (active)
    tellicolakerealty .cn (active and SQL injected at vulnerable sites)
    Administrative Email for the three emails: glinson156 @ yahoo.com

    Related DNS servers for the latest campaign:
    ns .orthelike .com
    ns2 .orthelike .com
    ns3 .orthelike .com
    ns4 .orthelike .com
    ns .likenewvideos .com
    ns2 .likenewvideos .com
    ns3 .likenewvideos .com
    ns4 .likenewvideos .com

    Storm Worm related domains which are now down:
    centerprop .cn
    apartment-mall .cn
    stateandfed .cn
    phillipsdminc .cn
    apartment-mall .cn
    biggetonething .cn
    gasperoblue .cn
    giftapplys .cn
    gribontruck .cn
    ibank-halifax .com
    limpodrift .cn
    loveinlive .cn
    newoneforyou .cn
    normocock .cn
    orthelike .com
    supersameas .com
    thingforyoutoo .cn
    One of the domains that is injected as an iFrame is using ns .likenewvideos .com as DNS server, whereas likenewvideos .com is currently suspended due to 'violating Spam Policy'. Precisely."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #64
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    New Storm tactic
    - http://sunbeltblog.blogspot.com/2008...rm-tactic.html
    June 02, 2008
    (Screenshot available at the Sunbelt blog URL above.)

    - http://isc.sans.org/diary.html?storyid=4516
    Last Updated: 2008-06-02 21:11:49 UTC - "New Stormworm download site... 122.118.131.58 is being spammed out with a message that states: 'Crazy in love with you'
    hxxp ://122 .118 .131 .58
    I checked that site and could only find an index.html, lr.gif and loveyou.exe. lr.gif is a gif file that says 'love riddles'. Index.html encourages visitors to run loveyou.exe by asking ‘Who is loving you? Do you want to know? Just click here and choose either “Open” or “Run”’. loveyou.exe is a version of Trojan.Peacom.D aka Stormworm. I recommend you block this ip address till it gets cleaned up."

    Look for your AV updates shortly...

    Last edited by AplusWebMaster; 2008-06-03 at 02:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #65
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://blog.trendmicro.com/storm-med...-of-the-heart/
    June 3, 2008 - "...A new trickle of Storm-related spam has been seen, again hewing to themes of love and romance. Perhaps said authors believe this run will be a runaway success, since June is widely held as the most popular month for weddings?... email subjects read “Stand by my side,” “I want to be with you,” and “Lucky to have you”—simple statements dripping with sincerity, or so spammers hope, to get unsuspecting users hooked. The said subject lines differ from the one-liners that make up the message body, alongside malicious IP addresses that don’t bother to ask users to click on them. But if the curious do click on these, they are redirected... This is where they are then asked to “click here” and choose “Open” or “Run”—but not before they are made to read teasers hinting of secret admirers: “Who is loving you? Do you want to know?” And if they dare to find out, the “secret admirer” turns out to be a file named LOVEYOU.EXE, which Trend Micro detects as WORM_NUWAR.BC. Heart-related themes have been used time and again as spam baits. Because of its popularity, this is a theme that will probably last a lifetime, if users continue to fall for its schemes..."
    (Screenshots available at the URL above.)

    - http://www.f-secure.com/weblog/archives/00001452.html
    June 4, 2008 - "Despite reports of Storm being killed off, it's still very much alive... While the Storm botnet certainly isn't as big as it used to be, it's definitely one of the most persistent botnets we've ever seen… and we've not seen the last of it."

    Last edited by AplusWebMaster; 2008-06-04 at 15:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #66
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry New Storm Worm Variant Spreading

    FYI...

    New Storm Worm Variant Spreading
    - http://www.us-cert.gov/current/#new_...riant_spreads2
    June 19, 2008 - " US-CERT has received reports of new Storm Worm related activity. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that when opened may run the executable file "beijing.exe" to infect the user's system with malicious code. Subject lines can change at any time, but the following subject lines are noted as being used:
    * The most powerful quake hits China
    * Countless victims of earthquake in China
    * Death toll in China is growing
    * Recent earthquake in china took a heavy toll
    * Recent china earthquake kills million
    * China is paralyzed by new earthquake
    * Death toll in China exceeds 1000000
    * A new powerful disaster in China
    * A new deadly catastrophe in China
    * 2008 Olympic Games are under the threat
    * China's most deadly earthquake ..."

    - http://www.f-secure.com/weblog/archives/00001457.html
    June 19, 2008
    (Screenshots available at the F-secure URL above.)

    - http://www.sophos.com/security/blog/2008/06/1500.html
    19 June 2008 - "...the .cn domains linked by the spam messages are likely part of a botnet. Each query to the nameservers for these domains returns a different IP address, indicating fast-flux behavior. The domains also serve webpages using the same web server seen in a number of botnet campaigns..."

    Last edited by AplusWebMaster; 2008-06-19 at 20:44. Reason: Added Sophos info and link...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #67
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down

    FYI...

    - http://www.f-secure.com/weblog/archives/00001459.html
    June 20, 2008 - "... big increase in emails going around with all sorts of interesting subjects... long list of different subjects - too long to list them all here so we've put them in a downloadable TXT file* instead. All mails contain a link to different compromised sites which all contain the same fake Porntube page. Once there the page shows an error message telling the user that they need to install a Video ActiveX component. The file that gets downloaded is spam trojan that sends out lots of emails with links pointing back to the compromised sites... The list of compromised sites is pretty extensive as well, we've been able to identify 74 different sites so far whereof only a handful have been fixed... the file that gets downloaded, video.exe..."

    * http://www.f-secure.com/weblog/archi...w_subjects.txt

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #68
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Storm - Fast Flux and New Domains

    FYI...

    Fast Flux and New Domains for Storm
    - http://asert.arbornetworks.com/2008/...ins-for-storm/
    June 28, 2008 - "...some of our ATLAS fast flux data*... Storm Worm has begun using new fast flux domains... Storm has changed its tactics constantly in the past year and a half, and this “love theme” is nothing new. We’ll see how long this theme lasts.
    UPDATE 1 July 2008 - Here’s a full list of domains:
    superlovelyric.com NS ns.verynicebank.com
    bestlovelyric.com NS ns.verynicebank.com
    makingloveworld.com NS ns.verynicebank.com
    wholoveguide.com NS ns.verynicebank.com
    gonelovelife.com NS ns.verynicebank.com
    loveisknowlege.com NS ns.verynicebank.com
    lovekingonline.com NS ns.verynicebank.com
    lovemarkonline.com NS ns.verynicebank.com
    makingadore.com NS ns.verynicebank.com
    greatadore.com NS ns.verynicebank.com
    loveoursite.com NS ns.verynicebank.com
    musiconelove.com NS ns.verynicebank.com
    knowholove.com NS ns.verynicebank.com
    whoisknowlove.com NS ns.verynicebank.com
    theplaylove.com NS ns.verynicebank.com
    wantcherish.com NS ns.verynicebank.com
    verynicebank.com NS ns.verynicebank.com
    shelovehimtoo.com NS ns.verynicebank.com
    makeloveforever.com NS ns.verynicebank.com
    wholovedirect.com NS ns.verynicebank.com
    grupogaleria.cn NS ns.verynicebank.com
    activeware.cn NS ns.verynicebank.com
    nationwide2u.cn NS ns.verynicebank.com ..."

    * http://atlas.arbor.net/summary/fastflux
    "Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware..."

    Also see "Top Storm Domains":
    - http://www.trustedsource.org/en/threats/storm_tracker

    Last edited by AplusWebMaster; 2008-07-02 at 20:31. Reason: Added trustedsource.org info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #69
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Storm botnet ...Fireworks

    FYI...

    Storm Botnet ...Fireworks
    - http://isc.sans.org/diary.html?storyid=4669
    Last Updated: 2008-07-04 02:57:16 UTC - "I read about MX Logic's prediction this morning ( http://preview.tinyurl.com/5hlcxb ) that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure. This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started. There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe. Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here:
    http://garwarner.blogspot.com/2008/0...on-on-4th.html
    I'm sure that the list will continue to grow. I'd recommend that you play it safe by blocking all attempts to download fireworks.exe at your perimeter..."

    - http://securitylabs.websense.com/con...erts/3131.aspx
    07.04.2008 (Screenshots...)

    Last edited by AplusWebMaster; 2008-07-04 at 22:11. Reason: Added Websense info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #70
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New Storm Worm Variant Spreading - July 9, 2008

    FYI...

    New Storm Worm Variant Spreading
    - http://www.us-cert.gov/current/#new_...ient_spreading
    July 9, 2008 - "US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East. This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user's system with malicious code.
    * A video that, when opened, may run the executable file "iran_occupation.exe."
    * A banner add that, when clicked, may run the executable file "form.exe."
    * A hidden iframe linked to "ind.php."
    Reports, including a posting by Sophos**, indicate that the following subject lines are being used. Please note that subject lines can change at any time..."

    ** http://www.sophos.com/security/blog/2008/07/1569.html
    9 July 2008

    - http://ddanchev.blogspot.com/2008/07...n-of-iran.html
    July 09, 2008

    Fake news on World War III
    - http://securitylabs.websense.com/con...erts/3132.aspx
    07.09.2008 (Screenshots...)

    //
    Last edited by AplusWebMaster; 2008-07-09 at 22:06. Reason: Added Websense link...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •