Another "Storm" Wave ...

AplusWebMaster

AplusWebMaster

New member
Advisor Team
Follow up post/thread from http://forums.spybot.info/showthread.php?p=99490#post99490 ...

- http://isc.sans.org/diary.html?storyid=3063
Last Updated: 2007-06-28 23:33:56 UTC...

- http://preview.tinyurl.com/2g58ud
June 28, 2007 (Computerworld)...

- http://www.us-cert.gov/current/#new_storm_worm_variant_spreads
June 29, 2007

--------------------------------------

- http://asert.arbornetworks.com/2007/06/you-got-postcard-malware/
June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."

(*Diagram shown at the URL above.)


:fear:
 
Last edited:
"...Variations:

Other subject lines used with this message include the following:

You've received a greeting card from a school-mate!
You've received a greeting ecard from a class mate!
You've received a greeting ecard from a neighbour!
You've received a greeting postcard from a partner!
You've received a greeting postcard from a worshipper!
You've received a postcard from a family member!
You've received a postcard from a neighbour!
You've received a postcard from a worshipper!
You've received an ecard from a colleague! ..."

- http://www.snopes.com/computer/virus/postcard.asp
Last updated: 1 July 2007

:fear:
 
Again:

Storm worm with 4th of July subject lines
- http://isc.sans.org/diary.html?storyid=3090
Last Updated: 2007-07-03 19:48:30 UTC ...(Version: 2) ~ "We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far...

Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th ."

:fear:
 
More:

- http://www.f-secure.com/weblog/archives/archive-072007.html#00001224
July 4, 2007 ~ "...Using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link... They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them... What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded..."

(Screenshots available at the URL above.)


.
 
FYI...

The ever morphing Storm
- http://isc.sans.org/diary.html?storyid=3117
Last Updated: 2007-07-09 03:01:00 UTC - "Readers has been reporting emails with subjects such as:
* Spyware Detected!
* Malware Alert!
* Virus Detected!
The Storm virus from the last week or so (greeting cards) has morphed into this new version. Nothing new, the texts has changed somewhat and the subject line is different. By en large it is still the same attempt to get people to download an exe file. Auscert* has put out an alert on this as there have been an increase of these messages in the region.
As per usual discourage users from blindly clicking links in emails. Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home. Blocking downloads of exe files is also a good start..."

* http://www.auscert.org.au/render.html?it=7813

.
 
More...

Fake alert emails
- http://www.f-secure.com/weblog/archives/archive-072007.html#00001226
July 9, 2007 - "The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious. Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as Packed.Win32.Tibs.ab."
(Screenshot available at the URL above.)

New fake patch malicious code run
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=786
July 09, 2007

.
 
Last edited:
FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200849
July 24, 2007 - "The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they've seen in two years. "We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level." Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails -- 99% of them associated with the Storm worm..."
> http://www.postini.com/stats/

:mad:
 
SPAM e-mails - bsaver.zip / funny.zip

FYI...

- http://www.f-secure.com/weblog/archives/archive-072007.html#00001236
July 27, 2007 - "On Wednesday* we blogged about major seeding of Trojan-Downloader.Win32.Agent.brk. This is now happening again... This time the e-mail attachment is named as bsaver.zip. E-mail subjects have also been revised. Below is a list of some examples we have witnessed so far:
Sunrise in your life
Life will be better
Good summer
Do it for pleasure
Life is good
Wanna be slim?
Good summer, dude
Two Telephone Calls And An Air
Be like me!
To be slim
Paradice in bed
The file is currently detected as Trojan-Downloader:W32/Agent.EXJ ..."

* http://www.f-secure.com/weblog/archives/archive-072007.html#00001234

(Screenshots available at the URL's above.)


:mad:
 
FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202711
Aug 2, 2007 - "As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it. Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm... Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million..."

:fear::mad:
 
FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201311245
Aug. 9, 2007 - "...Researchers at SecureWorks discovered late Wednesday that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages... Jackson said he spotted two malicious Web sites that have the Storm attack malware embedded in them. One site was set up specifically for malicious purposes, while the second is a legitimate site that attackers hacked into and infected. The legitimate site is a community forum for fans of Apple's Mac computers. Oddly enough, the malware doesn't affect the Mac - only Microsoft's Windows platform, and specifically the Internet Explorer browser..."

.
 
FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=792
August 14, 2007 - "...new Storm Trojan tactics being used within emails. The new emails are using the Subject: "Greeting Card Victim" and contain the following:
> Email Body:
Class-mate(enter name) has created Greeting card for you victim at christianet.com. To see your custom Greeting card, simply click on the following link: http:// <stripped>
Send a FREE greeting card from christianet.com whenever you want by visiting us at: This service is provided and hosted by christianet.com.
> End of Email Body
Just like previous attacks, the URLs point to a compromised machine that is hosting the BOT -and- an HTTP proxy. The same exploit code attempts to run the file without user intervention; however, the file name has changed to msdataaccess.exe..."

.
 
FYI...

- http://www.f-secure.com/weblog/archives/archive-082007.html#00001253
August 18, 2007 - "Last Wednesday we blogged* about the changing tactics being used by the Zhelatin / Storm Worm gang and their "eCard for you" -themed malware spam. The tactics are changing again. The malicious websites haven't changed; they still spread malicious msdataaccess.exe files. However, the emails no longer talk about ecards..."

* http://www.f-secure.com/weblog/archives/archive-082007.html#00001249


(Screenshots available at both URLs above.)


.
 
FYI...

New filename for Storm Trojan/Bot
- http://www.websense.com/securitylabs/blog/blog.php?BlogID=140
Aug 20 2007 - "The Storm Trojan / Bot continues to spread like wildfire. The latest version has a variety of subjects and email bodies but now uses the filename applet.exe.
> Email copy sample:
Greetings,
Here is your membership info for Downloader Heaven.
Member Number: 2259948423
Temorary Login: user6278
Temp Password ID: gr272
Please Change your login and change your Login Information.
Follow this link, or paste it in your browser: http: //...
Welcome,
Technical Services
Downloader Heaven..."

- http://isc.sans.org/diary.html?storyid=3298
Last Updated: 2007-08-21 ...(Version: 3) - "Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
> Subject: Login Information
'Dear Member,
Are you ready to have fun at CoolPics.
Account Number: 73422529174753
Your Temp. Login ID: user3559
Temorary Password: jz438
Please Change your login and change your Login Information.
This link will allow you to securely change your login info: http: //...
Thank You,
New Member Technical Support
CoolPics...'
I have seen about a dozen different ones so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download. In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links). My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)..."

.
 
FYI...

Malicious Website/Code: Storm adds YouTube lures
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=799
August 25, 2007 - "The Storm Trojan / Bot continues to spread and is now using a YouTube video to lure users. The latest version has a variety of subjects and email bodies but now uses the filename video.exe.
Email subject example: Sheesh man what are you thinkin.
Upon connecting to the URL, which is referenced as a YouTube link but is actually a Storm IP, the same exploit code used in past attacks attempts to run. As in the past if users are not vulnerable they will get a page displayed that requests they run the code manually..."

(Screenshot available at the URL above.)

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=141
"...Conclusion: The Storm attack is something we can expect more of in the future. It is an organized, sophisticated, well planned out and resilient attack that has infected millions of machines around the world. The techniques use a combination of attack vectors including; DNS, Web, P2P, encryption, and several evasion techniques. This not only highlights the need for deploying sophisticated counter measures to mitigate your companies risks, but also shows the need for more collaborative efforts across borders with law enforcement, ISP’s, and other folks moving forward."

Also see: http://isc.sans.org/diary.html?storyid=3321
Last Updated: 2007-08-25 21:00:55 UTC ...(Version: 2)

.
 
FYI...

- http://www.theregister.com/2007/08/29/storm_hits_blogger/
29 August 2007 - "...By now, anyone who doesn't live under a rock is familiar with the spam messages bearing subjects such as "Dude what if your wife finds this" and "Sheesh man what are you thinkin" and including a link to a supposed YouTube video. Recipients foolish enough to click on the link are taken to an infected computer that tries to make their machine part of a botnet. Now Storm Worm, the malware responsible for those messages, has overrun Google-owned Blogger. According to one search, some 424 Blogger sites have been infected..."

.
 
FYI...

More Peacomm Tactic Changes
- http://atlas.arbor.net/briefs/index#-24164615
Severity: Elevated Severity
Published: Thursday, August 30, 2007 10:36
"This week has seen additional Peacomm malware lure changes. Emails have now been appearing that encourage users to view YouTube videos, download beta software, and to try out new software. All of these are methods that the Peacomm authors are using to attract new victims. At last count we have seen some estimates between 1 million and 10 million or more infected computers. This is a staggering number of infected machines and we are working with others to combat this problem.
Analysis: We have been monitoring the changes in the lure tactics of the Peacomm worm, and have seen them change more frequently as of late. We are not certain what the next change will be, but we anticipate it will happen soon."

.
 
FYI...

- http://www.f-secure.com/weblog/archives/archive-092007.html#00001272
September 6, 2007 - "A new round of storm worm attacks are playing on people's paranoia against being watched online. This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake... Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL. Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet."

(Screenshot available at the URL above.)

.
 
FYI...

Stormworm Tactics Change to Football Fungus
- http://www.disog.org/
September 08, 2007 - "...Starting about 13:50 GMT ...noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:
2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1
Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering... Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages."

(Screenshot available at the URL above.)

Per: http://isc.sans.org/diary.html?storyid=3361
----------------------------------------------------

Also: http://www.f-secure.com/weblog/archives/archive-092007.html#00001273
September 9, 2007 - "...To become infected you have to click on one of the links or on the picture (they all point to the same file – tracker.exe) and run the file. Still, this can change at any moment so don't click on any links you receive in these e-mails."

(More screenshots available at the the F-secure URL above.)

.
 
Last edited:
You must log in or register to reply here.
Back
Top