Another "Storm" Wave ...

[AplusWebMaster]

FYI...

More cards...
- http://www.f-secure.com/weblog/archives/archive-092007.html#00001280
September 24, 2007 - "There are a high number of reports for Trojan-Downloader.Win32.Banload.DRS today... This time the bad guys have once again returned to the (e-mail) attachment name of card.exe... The subject lines are recycled as well:
Hot pictures
Hot game
Here is it
You ask me about this game, Here is it
Something hot ..."

(Table shown at the URL above.)

.

 

[AplusWebMaster]

FYI...

- http://asert.arbornetworks.com/2007/09/todays-radar/
September 21, 2007 - "...Storm Worm numbers after reading Storm Drain*, from the Microsoft Anti-Malware Engineering Team blog. Several people, myself included, had put size estimates in the millions of hosts. Microsoft’s numbers suggest far, far fewer, on the order of hundreds of thousands. People tell me they have seen a decrease in the number of DDoS attacks from Storm, and also I have seen a slowing of the email lures in the past week and a half. It looks like the MSRT is having an effect. Some people estimate half, some about 25%, but overall a real decrease..."
* http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx

.

 

[AplusWebMaster]

FYI...

Stormy Skies
- http://asert.arbornetworks.com/2007/09/stormy-skies/
September 27th, 2007 - "A couple of third-party reports on the Storm Worm (aka Peacomm, aka Nuwar, aka Tibs, aka Zheltin, aka CME-711).
1. The first is a detailed binary analysis of the malcode involved in the Storm Worm from Frank Boldewin. This is one of the only such analysis made public that I have seen; everyone else has theirs privately kept:
'It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.'
(From: http://www.reconstructer.org/papers/Peacomm.C - Cracking the nutshell.zip
[ZIP], by Frank Boldewin.)
2. Second up is a great timeline of the Storm Worm lures, specifically the ones to lure you to the website and get infected via malicious HTML (it the setSlice() vuln). Unfortunately it does not cover the spammed EXEs that appeared in the Winter of 2007, it just covers the “e-card” and beyond timeframe. It also doesn’t cover any changes in the website HTML or exploits. Still, this is the first such compendium of this data I’ve seen shared publicly. I made a smaller one on a private list one night, but without so much data or detail.
3. A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider “NFL” spam to be one instance of the Storm attack, and “ArcadeWorld” another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology."
(From: http://www.websense.com/securitylabs/blog/blog.php?BlogID=147 Websense Security Lab blog)

.

 

[AplusWebMaster]

FYI...

YouTube feature exploited to send spam
- http://www.sophos.com/pressoffice/news/articles/2007/10/youtube-spam.html
5 October 2007 - "...Spam emails seen by Sophos claim to come from the email address service @ youtube .com, and attempt to lure users into visiting dating websites or offering prizes of the recently released Halo 3 arcade game for the XBOX 360 console. By putting their spam message in the 'comments' section of the 'invite-a-friend' facility on YouTube, hackers have been able to hijack the website for the purposes of sending unsolicited email..."

- http://www.news.com/2102-7349_3-6212674.html?tag=st.util.print
Oct 10, 2007 - "...Spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account. The scam on Google's video-sharing site is targeting Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm trojan..."

:fear:

 

[siljaline]

Thanks, Jack - most informative!

Regards,
Silj

 

[AplusWebMaster]

FYI...

Malicious Website/Code: New Storm tactic: Kitty Greeting Card
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=807
October 11, 2007 - "Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks... This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe ." This file contains the Storm payload code..."

(Screenshot available at the URL above.)

Also:
- http://www.f-secure.com/weblog/archives/00001291.html
October 12, 2007

:fear:

 

[AplusWebMaster]

FYI...

The Changing Storm
- http://www.secureworks.com/research/blog/index.php/2007/10/15/the-changing-storm/
October 15, 2007 by Joe Stewart - "The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that’s the case, we might see a lot more of Storm in the future. The good news is, since we can now distinguish this new Storm traffic from “legitimate” (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!). Matt Jonkman over at Bleedingthreats.net has written some signatures* to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occuring over a certain threshold. Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.*"

* http://www.bleedingthreats.net/index.php/2007/10/15/encrypted-storm-traffic/

.

 

[AplusWebMaster]

New Storm Tactic: Krackin Software

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=808
October 17, 2007 - "Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see ( http://www.websense.com/securitylabs/blog/blog.php?BlogID=141 ).
This site poses as a new piece of software called "Krackin v1.2" and advertises:
* Easy to install
* Auto-Virus scanning
* Mobile Source Downloading
* IP Blocking to Prevent Tracking
* Unwanted User Blocking
Users with unpatched computers are automatically exploited. Users with patched computers are prompted to download and run a file called "kracking.exe" This file contains the Storm payload code..."

(Screenshot available at the URL above.)

More references - same stuff:
- http://www.disog.org/2007/10/lets-get-this-party-krakin.html

- http://www.f-secure.com/weblog/archives/00001296.html
October 17, 2007 - "...a mere visit to the site using an unpatched system will trigger an exploit to automatically download and execute a malicious file. Patched systems are protected but only if the users do not choose to download the file (with filename krackin.exe) and execute it themselves. The webpage is detected as Trojan-Downloader.JS.Agent.KD while the file is detected as Email-Worm.Win32.Zhelatin.KE. This is one network you wouldn't want to join, so make sure to keep your databases updated."

.

 

[AplusWebMaster]

FYI...

- http://www.networkworld.com/news/2007/102407-storm-worm-security.html
10/24/07 - "...Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days... As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm’s botnet..."

> http://www.theregister.com/2007/10/25/storm_worm_backlash/

:buried:

 

[AplusWebMaster]

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=814
October 30, 2007 - "Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email:

Example Subject: Nothing is funnier this Halloween

Example Body:
Come watch the little skeleton dance.
http : // <URL Removed> /..."

(Screenshot available at the URL above.)

:fear:

 

[AplusWebMaster]

FYI...

Warezov Domains on All Hallows Eve
- http://www.f-secure.com/weblog/archives/00001306.html
October 31, 2007 - "Storm seems to have seized the Warezov gang's mojo. They just don't make as much noise as they once did... Using his "patented" data mining techniques, Toni turned up 2039 domains connected to the Warezov gang as of 12:00 today. Of those, 810 domains resolved as a fast flux*. 1229 do not currently resolve. They're dead. (Or are they undead?) These domains are used for both malware downloads and for pushing spam. The next step is to get them taken down. No small task that.

Download the Lists:
Domains — 2039 ( http://www.f-secure.com/weblog/archives/Warezov_Domains.txt )
Fast Fluxes — 810 ( http://www.f-secure.com/weblog/archives/Warezov_Domains_Online.txt )
Undead — 1229 ( http://www.f-secure.com/weblog/archives/Warezov_Domains_Offline.txt ) ..."

* http://en.wikipedia.org/wiki/Fast_flux

:fear:

 

[AplusWebMaster]

FYI...

Storm Worm Changes Course
- http://preview.tinyurl.com/2mvsqs
November 1, 2007 - (Symantec Security Response Weblog) - "The authors of the Storm worm (also know as Trojan.Peacomm) have shown an uncanny knack of changing or shedding key components of the threat in order to enhance its persistence and spread. This week saw the latest incarnation of the threat, Trojan.Peacomm.D, reveal itself as halloween.exe or sony.exe. What is most interesting about this latest variant of the Storm worm is that its authors have removed some key functionality that was present in the previous variant, Trojan.Peacomm.C. Specifically, the threat no longer;
1. infects other legitimate drivers on the system. Previous variants infected drivers such as Tcpip.sys and Kbdclass.sys. This was a stealth-like feature used by the threat to start early with the operating system and without loading points in the Windows Registry.
2. injects itself into legitimate processes like Explorer.exe and Services.exe.
Instead the threat now relies less on legitimate components on the operating system and has new proprietary components to do its dirty work. The driver associated with the latest variant, noskrnl.sys, works hand in hand with the user mode noskrnl.exe to provide the same stealth-like capabilities that involved more components, both illegitimate and legitimate, in the past... In terms of the latest variant, both holloween.exe and sony.exe are detected as Trojan.Packed.13 and the low level driver component, noskrnl.sys, is detected as Trojan.Peacomm.D*..."

* http://www.symantec.com/security_response/writeup.jsp?docid=2007-041222-3056-99

.

 

[AplusWebMaster]

Are You Infected With Storm?

FYI...

Storm Worm Victims Get Stock Spam Pop-Up
- http://preview.tinyurl.com/3dlq5l
November 13, 2007 - Brian Krebs - "If you're a Windows users and today received a surprise pop-up advertisement urging you to invest in an obscure penny stock, it is highly likely that your computer is infected with the virulent Storm worm, a nasty intruder that currently resides on an estimated 200,000 PCs worldwide. Criminal groups that control the pool of Storm-infected computers have traditionally used those systems to pump out junk e-mail ads touting thinly traded penny stocks as part of an elaborate and ongoing series of "pump-and-dump" schemes. But today, according to security researchers, the Storm worm authors went a step further by causing a pop-up ad for a particular penny stock to be shown on all infected machines. Atlanta-based SecureWorks* tracked the latest Storm activity, which began earlier this morning..."

Are You Infected With Storm?
* http://preview.tinyurl.com/2jqgn3
November 13, 2007 by Joe Stewart - (Secureworks) - "If you saw the following browser window pop up on your desktop today for no apparent reason, you are..."
(Screenshot available at the SecureWorks URL above.)

:fear:

 

[AplusWebMaster]

FYI...

Storm Brews Over Geocities
- http://blog.trendmicro.com/storm-brews-over-geocities/
November 15th, 2007 - "...There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets... The links contained within the said messages point to various accounts created under the popular Yahoo!-managed Geocities site. However, what appears to be links to personal Web sites hosted on Geocities are actually URLs that redirect... user is coaxed into downloading an “iPix plug-in” (from http: // {BLOCKED}.{BLOCKED}.238.36/ iPIX-install.exe). Unfortunately, the iPix plug-in, which Trend Micro detects as TROJ_ZBOT.BJ, downloads more malicious files..."

:fear:

 

[AplusWebMaster]

FYI...

- http://www.securitypark.co.uk/security_article.asp?articleid=260134&Categoryid=1
29/11/2007 - "A copycat spam gang has developed a botnet that is currently responsible for more than 20 per cent of all spam in circulation, according to Marshal’s threat research TRACE Team. The botnet now has the ability to distribute similar amounts of spam as the notorious Storm botnet. Marshal has touted the spammers responsible for this botnet the “Celebrity Spam Gang”, owing to their fondness for using celebrity names in their spam. The Celebrity Gang has been building up their botnet since August 2006. They have managed this by spamming out messages with malware attachments that commonly feature subject lines about nude celebrities like Angelina Jolie and Britney Spears but have also promised free games and Windows Security Updates..."
- http://www.marshal.com/trace/traceitem.asp?article=421

:fear:

 

[siljaline]

Merci, Monsieur!

Silj

 

[AplusWebMaster]

Anticipated Storm-Bot Attack Begins

FYI...

Anticipated Storm-Bot Attack Begins
- http://isc.sans.org/diary.html?storyid=3778
Last Updated: 2007-12-24 03:41:39 UTC
"Overview and Blocking Information
Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a Christmas-themed stripshow directing victims to merrychristmasdude .com.

The message comes in with a number of subjects:
Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

The body is something similar to:

do you have a min?
This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these...

hxxp: // merry christmasdude .com / ...
Recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.

Under The Hood
The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes. Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control."

More... screenshot available here:
- http://www.disog.org/2007/12/stormworm-is-back-have-merry-christmas.html

and another ref:
- http://asert.arbornetworks.com/2007/12/storm-is-back-dude/
----------

Updated:
- http://isc.sans.org/diary.html?storyid=3778
Last Updated: 2007-12-24 13:11:38 UTC ...(Version: 3)
"...nice and tidy analysis available at: http://holisticinfosec.blogspot.com/2007/12/storm-bot-stripshow-analysis.html
...There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes. User awareness, as always, is your strongest defense. Cheers and happy holidays, except for you RBN a$$h0735."

- http://www.f-secure.com/weblog/archives/00001349.html
December 24, 2007 - "...The IP address of the site changes every second. We also already detect it earlier as Email-Worm.Win32.Zhelatin.pd ... Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!"
(Screenshot available at the F-secure URL above.)

:fear:

 

[AplusWebMaster]

Happy New Years .... from the Storm Worm

FYI...

Happy New Years .... from the Storm Worm
- http://isc.sans.org/diary.html?storyid=3784
Last Updated: 2007-12-25 19:36:34 UTC ...(Version: 3) - "Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information
Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card... The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.

Seen So Far:
A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Update 1:
Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You...

>>> We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.
Under The Hood
As with 'merry christmas dude.com', this domain appears to be registered through nic.ru. It also appears to be hosted on the same fast-flux network, now with at least 8000 nodes.
If you go to that web site, currently the malware file is 'happy2008.exe'. We will add more analysis details throughout the day as we get them.
Update... blog entry from the other day with information about the newest Storm Worm. His blog posting is available at http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html ..."

- http://www.f-secure.com/weblog/archives/00001350.html
"Updated to add: On (Dec)26th we started seeing a new domain: happycards2008.com. The filename has morphed as well, to happy-2008.exe..."

:fear::devil:

 

[AplusWebMaster]

Storm worm update - 12.27.2007

FYI...

- http://asert.arbornetworks.com/2007/12/storm-and-2008-new-campaign/
December 27, 2007 - "...The filenames were “happy2008.exe”, “happy-2008.exe”, and now “happynewyear.exe”... Again, fast flux DNS (TTLs set to 0 seconds, lots of IPs being cycled in there, nameservers also fast fluxing in the network), open resolver, etc... Be wary of random e-cards from people you’ve never heard of, stay updated with AV, don’t run as administrator, etc..."

- http://isc.sans.org/diary.html?storyid=3784
Last Updated: 2007-12-27 13:39:26 UTC ...(Version: 5)
"Update: ...shortly before 0700 GMT 27-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread yet again. The email messages now refer to the URL http: // new year cards 2008 . com (spaces added) and the file to be downloaded is 'happynewyear.exe'. As with the previous URLs and filename, we recommend applying filters blocks on the domain for both incoming email and outbound web traffic."

:fear:

 

[AplusWebMaster]

More...

Storm switches tactics third time, adds rootkit
- http://preview.tinyurl.com/yqt7q4
December 27, 2007 (Computerworld) - "...The file being shilled today is tagged to "happynewyear.exe." More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx* and an independent security researcher named Russ McRee have posted analyses of Storm's cloaking attempt. [Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?)," said McRee on his HolisticInfoSec Web site**. "No more hanging out in the open, easily seen"..."

* http://www.prevx.com/blog/74/Storm-Worm-third-round.html

** http://holisticinfosec.blogspot.com/2007/12/holiday-storm-part-3.html

:fear::devil: