Another "Storm" Wave ...

Add another domain:
- http://blogs.pcmag.com/securitywatch/2007/12/a_stormy_new_year.php
December 28, 2007 - "...Consider the following unsolicited e-mail:
From: ccs @ gotapco.com
Sent: Friday, December 28, 2007
To: Larry Seltzer
Subject: Happy 2008!
Wishes for the New 2008 Year
hxxp: // newyearwithlove .com
DON'T GO TO THAT DOMAIN! If you do, or to one of several others with similar names, you'll be redirected to an HTTP request for an EXE file pushing a trojan horse program. The domains are all registered with an unresponsive Russian registrar. Thirteen different name servers on different networks are listed as authoritative in order to make it harder to bring the domain down. Even more may be added, if necessary, to keep the domain up..."
-----------------------

- http://preview.tinyurl.com/yud8re
December 27, 2007 (Computerworld) - "...According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domain is a "Bill Gudzon" of Los Angeles, Calif., but the contact phone number gave only a constant busy signal. Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said Giuliani*, has already detected more than 400 variants of the version now in circulation."
* http://www.prevx.com/blog/74/Storm-Worm-third-round.html

:fear:
 
Last edited:
FYI...

Is a New Year's Storm a’brewin?
- http://preview.tinyurl.com/3apa67
December 31, 2007 10:40 AM (Symantec Security Response Weblog) - "...The Peacomm gang doesn’t seem content with their recent spam run and have launched a new one. Symantec is currently observing a spam run to celebrate New Years, 2008... Contained in the email is a URL to one of several possible Web sites. What is interesting is the number of recently registered domains involved in this spam run. It looks like another Clause family member- “Larry Clause”- has been very busy over the past few days, registering a number of domains with NIC.RU to aid the spam run. So far we have observed the following sites all involved in the spam run with most being registered to a Larry Clause:
• familypostcards2008.com
• freshcards2008.com
• happy2008toyou.com
• happycards2008.com
• happysantacards.com
• hellosanta2008.com
• hohoho2008.com
• newyearcards2008.com
• newyearwithlove.com
• parentscards.com
• postcards-2008.com
• Santapcards.com
• Santawishes2008.com
If clicked on the user is presented with a plain page with the following text:
'Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!'

Their use of fast flux hosting on botnets makes it very difficult to stop the hosting of this risk... be very cautious of opening greeting cards, especially from people you do not know. Always keep your antivirus software up-to-date and follow safe computing practices..."

:fear::buried:
 
Active Storm Worm Domains - Christmas, New Year’s Campaign

Updates...

Active Storm Worm Domains - Christmas, New Year’s Campaign
- http://preview.tinyurl.com/2ueud4
January 2, 2008 (Arbornetworks) - "Based on a bunch of sources:
familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
merrychristmasdude.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
santapcards.com
santawishes2008.com
uhavepostcard.com

All of these are worth blocking by DNS methods (become the local SOA, NXDOMAIN them) and looking for in your emails (look for a simple URL with those domain names near the end of a very short email)...
UPDATE: Added parentscards.com, which is now in use."
 
Storm Social-Engineering Manages a >200% Increase in Size

FYI...

- http://preview.tinyurl.com/3cj8m3
January 3, 2008 (TrendMicro blog) - "...The good folks over at the German HoneyNet Project* have some interesting statistics which indicate that, due to renewed efforts over the course of the Christmas and New Year’s holiday, the puppet masters controlling the Storm Botnet managed to increase the Storm Botnet size by more than 200%... given that the newest iterations of Storm includes (and revolves around) a new promulgation of a rootkit component**, it can be somewhat difficult to ascertain specific detection numbers... Social engineering continues to be a major, major threat vector..."

* http://honeyblog.org/archives/156-Measuring-the-Success-Rate-of-Storm-Worm.html

** http://blog.trendmicro.com/storm-gets-new-toys-for-christmas/

:fear:
 
FYI...

Phishing from the Storm Botnet
- http://www.f-secure.com/weblog/archives/00001359.html
January 9, 2008 - "Last night there was a phishing run using the domain i-halifax.com. The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet. Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar: Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm. So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before. But we've been expecting something along these lines. From our end-of-year Data Security Wrap-up:
'October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet.'
This may be what's happening now."
(Screenshots available at the URL above.)

- http://www.fortiguardcenter.com/advisory/FGA-2008-02.html
2008.January.07 - "...As of writing, the phishing run is targeting Barclays customers. All of the emails have a similar body..., and display a typical social engineering speech directed towards users who have a moderate level of awareness. These users are ones who may have heard online banking is subject to some fraudulent computer attacks, but cannot identify one. Phishers often use this social engineering approach for 3 reasons:
1. A security check is a good pretext to ask people to log in to their account
2. The "fear factor" carried by a a security check is a strong incentive for people to actually carry forward
3. Users may feel that since it is a security check, it cannot be an attack the email is referring to ..."
UPDATES: As of 16:00 January 7, 2008 the notified registrar appears to have taken action as the fraudulent Barclays domain in question (linked to by the phishing emails) no longer responds to queries. As of January 8, 2008 new emails emanating from the Storm botnet have been observed by the Fortinet Global Security Research Team which use the same social and domain engineering, however target a different bank: Halifax. This is a precursor that other banks may be targeted as well..."
(Screenshots available at the Fortinet URL above.)

- http://blog.trendmicro.com/a-new-storm-twist-phishing/
January 8, 2008 - "...several domains which where only registered yesterday “popped up” on our internal early warning systems overnight, and surprisingly enough, we started seeing these hosts serving up phishing pages (partial screenshot of Royal Bank of Scotland phish above) today. Another interesting aspect of this turn of events is that these hosts are part of the Storm fast-flux botnet, and we detected them while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities. We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers..."

:fear:
 
Last edited:
Stormy Skies - Clearing?

Hmmm...

Stormy Skies - Clearing?
- http://asert.arbornetworks.com/2008/01/stormy-skies-clearing/
January 9th, 2008 - "Seems like NIC.RU has been cleaning house a bit. The recent Storm worm domains appear to have all been cleared up. This domain appears to be dead in both the whois records - it says the domain is locked - and DNS databases.

UPDATED: a short while after it was originally posted to note that -all- domains are dead, not just one or two."

:spider:
 
FYI...

Malicious Code: New Storm Tactic: Valentine's Day:heart:
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=838
January 15, 2008 - "Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code... As with previous Storm emails, various subjects and bodies will be used... 3 different email lures containing 3 different subject lines and message..."

- http://www.f-secure.com/weblog/archives/00001363.html
January 15, 2008 - "Yet another wave of the Storm worm are now being spammed widely and this time it's all about love. They were late for Christmas, just in time for new year and really early for Valentine. The filename being downloaded now is withlove.exe..."

- http://asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
January 15th, 2008 - "...inspection reveals it’s a pointer to a storm node...
Subject lines seen so far:
* A Toast My Love
* Your Love Has Opened
* Sending You My Love ..."

(Screenshots available at all URLs above.)

:fear:
 
Last edited:
Malicious Code: New Storm Tactic: Valentine's Day... (more)

FYI...

- http://isc.sans.org/diary.html?storyid=3855
Last Updated: 2008-01-16 10:26:18 UTC - "...The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address... only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works..."

:fear::heart:
 
FYI... (current "Subject" and attachment list - Storm e-mail SPAM list)

- http://preview.tinyurl.com/2r6gma
January 16, 2008 (Symantec Security Response Weblog) - "...The subjects and bodies we have seen so far include the following (many are recycled from the Storm worm's 2007 Valentine's Day campaign:heart:):

• A Dream is a Wish • A Is For Attitude • A Kiss So Gentle • A Rose
• A Rose for My Love • A Toast My Love • Come Dance with Me
• Come Relax with Me • Dream of You • Eternal Love
• Eternity of Your Love • Falling In Love with You • For You....My Love
• Heavenly Love • Hugging My Pillow • I Love You Because
• I Love You Soo Much • I Love You with All I Am • I Would Dream
• If Loving You • In Your Arms • Inside My Heart • Love Remains
• Memories of You|A Token of My Love • Miracle of Love
• Our Love is Free • Our Love Nest • Our Love Will Last
• Pages from My Heart • Path We Share • Sending You All My Love
• Sending You My Love • Sent with Love • Special Romance
• Surrounded by Love • The Dance of Love • The Mood for Love
• The Time for Love • When Love Comes Knocking • When You Fall in Love
• Why I Love You • Words in my Heart • Wrapped in Your Arms
• You... In My Dreams • Your Friend and Lover • Your Love Has Opened
• You're my Dream

Attachment Name:
• withlove.exe
• with_love.exe ..."

:fear:
 
FYI...

New Storm tactic: Medical spam sites
- http://www.websense.com/securitylabs/blog/blog.php?BlogID=170
Jan 29 2008 - "...Storm worm has changed spamming tactics. Spam sent by infected hosts contain links of the format:
http ://(IP address)/(short random directory name)
These links redirect users to medical spam sites, but the links are still infected at the root level (e.g. http ://IP address/). The redirects help these medical spam sites attempt to evade spam filters..."

- http://blog.trendmicro.com/storm-now-serving-bad-medicine/
January 31, 2008

(Screenshot available at both URLs above.)

:fear:
 
Last edited:
FYI...

- http://www.marshal.com/pages/newsitem.asp?article=503&thesection=news
31 January 2008 – "...Storm is one of five botnets that we have been monitoring that we believe are responsible for approximately 75 per cent of all spam in circulation. One particular botnet which heavily promotes a certain brand of male enhancement pills accounts for nearly 30 per cent. This one bot has already exceeded Storm’s records and it has done it quietly without attracting too much attention. This might signal a new strategy by some of the spam crews to try and draw less attention to themselves through high profile email campaigns... It is also possible that the individuals behind the Storm botnet are responsible for one or more of these new botnets. These people are smart and one lesson they may have learned from Storm is to stay under the radar if they want to remain successful. There is a lot of crossover with the products being promoted by all five of these botnets. This could indicate some sort of connection between them...”

- http://preview.tinyurl.com/2zlwao
February 4, 2008 (Computerworld) - "...Mega-D has borrowed a few tricks from Storm, such as operating in Asian countries typified by high broadband penetration and poor use of anti-virus, using Trojans to dodge signature-based removal techniques and proliferating over peer-to-peer networks... Mega-D has targeted Facebook users with a fake invites that downloads the Trojan using a phony Flash Player update. More than 70 percent of global spam is sent from botnets Mega-D, Pushdo, HTML, One Word Sub and Storm..."

- http://www.marshal.com/trace/traceitem.asp?article=510
February 4, 2008

:fear::fear:
 
Last edited:
Eye on the botnets...

- http://www.darkreading.com/document.asp?doc_id=144919&print=true
FEBRUARY 4, 2008 - "A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs. The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year... The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP)... Damballa is not sure why AV engines aren't detecting MayDay's malware... The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware...
As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal...
So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike. Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says."

- http://asert.arbornetworks.com/2008/02/mega-d-spambot-follow-up/
February 5, 2008 - Mega-D Spambot Follow-up

- http://asert.arbornetworks.com/2008/02/secureworks-ozdokmega-d-trojan-analysis/
February 11, 2008 - "Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D. It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here*, as well as some detailed bits on behaviors of the Trojan itself..."
* http://www.secureworks.com/research/threats/ozdok/?threat=ozdok
February 11, 2008

:fear::spider:
 
Last edited:
FYI...

Storm Worm Valentine's Day Update
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080210
February 10, 2008 - "...Storm Worm has once again undergone another change as Valentine's Day is approaching. Fresh with 8 different rotating Valentine's Day images and a new executable named valentine.exe (may sound familiar), the Storm Worm may be gearing up for a new round of assaults on inboxes. It would appear that the domains are no longer serving up wildcard .gif files related to their stock spams. Instead we have eight .gif images ranging from 1.gif on up to 8.gif. After a few moments you'll be prompted to download the binary... a peak at the 8 images..."

- http://blog.trendmicro.com/storm-sure-loves-everybody/
February 11, 2008 - "...The spammed email messages are just plain text, but these contain links that lead to malicious Web sites displaying one of eight cute Valentine images..."

(Screenshots available at the URL's above.)

:fear:
 
Last edited:
FYI...

Stormworms spammy love notes
- http://isc.sans.org/diary.html?storyid=3979
Last Updated: 2008-02-12 22:42:30 UTC - "We received several reports of spam containing Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is changing rapidly so AV detection based on MD5 or other hash values is not reliable. We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm... Jose Nazario of Arbornetworks has some additional about this at:
http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/ ..."
"...Poor AV detection (via VirusTotal), but humans can spot this a mile away."

:fear:
 
Last edited:
FYI...

Botnet wars?
- http://blog.trendmicro.com/rtkt_pushuac-rootkit-remover/
February 27, 2008 - "A malware removes rootkits? There has to be a catch here. Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components..."


:blink:
 
FYI...

Storm Reactivating
- http://www.f-secure.com/weblog/archives/00001392.html
March 3, 2008 - " We haven't seen new Storm sites since the spam run they did over Valentine's Day… until early this morning. Right now they are sending a wide variety of mails regarding ecards... Depending on what you do, you end up with either e-card.exe (clicking the picture), e-card.exe (clicking the link) or postcard.exe (waiting for a few seconds). The files are variable but they always do the same thing: infect your system with the latest Storm/Zhelatin variant..."
(Screenshots available at the F-secure URL above.)

- http://isc.sans.org/diary.html?storyid=4054
Last Updated: 2008-03-03 08:18:58 UTC - "...Well, Storm is back, and back to generic e-Card spam... some Subjects and Contents to watch for:

Subject:
Your ecard joke is waiting
You have an ecard
We have a ecard surprise
Someone Just sent you an ecard
Did you open your ecard yet
ecard waiting for you
Open your ecard
new ecard waiting
Now this is funny
online greeting waiting
sent you an ecard

Body:
laughing Funny Card
You have been sent a Funny Postcard
You have been sent the Funny Ecard
original Funny Card
Someone Sent you this Funny Ecard
your funny postcard
original Funny Postcard
sent a Funny Postcard
personal funny postcard
FunnyPostcard
laughing funny postcard

Watch your inbox, and lets hope the AV vendors jump on this quickly."

:fear:
 
Last edited:
April Fool Storm emails...

FYI...

- http://www.f-secure.com/weblog/archives/00001410.html
March 31, 2008 19:45 GMT - " A wave of April Fool's Day related Storm (e)mails have just been sent out. Similar as the other times with a link that points to an IP address... if you receive one of these emails, don't click on the link."
(Screenshots available at the URL above.)

- http://isc.sans.org/diary.html?storyid=4222
Last Updated: 2008-03-31 21:00:07 UTC - "...Again a various list of subjects come with this release:
All Fools' Day
Doh! All's Fool.
Doh! April's Fool.
Gotcha!
Gotcha! All Fool!
Gotcha! April Fool!
Happy All Fool's Day.
Happy All Fools Day!
Happy All Fools!
Happy April Fool's Day.
Happy April Fools Day!
Happy Fools Day!
I am a Fool for your Love
Join the Laugh-A-Lot!
Just You
One who is sportively imposed upon by others on the first day of April
Surprise!
Surprise! The joke's on you.
Today You Can Officially Act Foolish
Today's Joke!
...The download is a binary, also with varying names:
foolsday.exe
funny.exe
kickme.exe
...Virus coverage is poor with the samples we've captured, but we're working with the AV vendors to improve that..."

April Storm’s Day Campaign
- http://asert.arbornetworks.com/2008/03/april-storms-day-campaign
March 31, 2008 - "...here are the specifics for this variant:
* Peerlist: C:\WINDOWS\aromis.config
* Installs as: C:\WINDOWS\aromis.exe
* As always, listens on a random UDP port, makes a lot of outbound connections, allows itself to the firewall via “netsh firewall set” and via the registry, uses w32tm to update its clock, and so on."

:fear::spider::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top