Jump to content


Photo

Another "Storm" Wave


  • Please log in to reply
75 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 29 June 2007 - 07:05 AM

FYI...

- http://isc.sans.org/...ml?storyid=3063
Last Updated: 2007-06-28 23:33:56 UTC ~ "...There is a new round of emails with malicious links that is making its way to the inbox of many folks. If you haven't gotten one yet, just give it time. Here is quick summary of what we have found. The subject line that we have gotten examples of have all been identical. You may have gotten something else.

"Subject: You've received a postcard from a family member!" ...

The ecard numbers in the URL above are variable across SPAM samples.
There are 3 exploits available and they are tried in order.

The first one is for QuickTime.
If that fails a Winzip exploit is attempted
If that fails, the "hail mary" is the WebViewFolderIcon exploit...

Here are a few more of the malware hosting servers they've relied on in recent months in addition to the HopOne and Softlayer host above:
27645 | 205.209.179.15 | 205.209.128.0/18 | US | arin | ASN-NA-MSG-01 - Managed Solutions Group, Inc
27595 | 216.255.189.214 | 216.255.176.0/20 | US | arin | INTERCAGE - InterCage, Inc
14361 | 66.148.74.7 | 66.148.64.0/19 | US | arin | HOPONE-DCA - HopOne Internet Corporation
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc
36351 | 75.126.226.224 | 75.126.0.0/16 | US | arin | SOFTLAYER - SoftLayer Technologies Inc..."


:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 29 June 2007 - 07:49 AM

FYI...

- http://preview.tinyurl.com/2g58ud
June 28, 2007 (Computerworld) - "..."This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president at Aladdin Knowledge Systems Inc., a security company known for its eSafe antivirus software. "There's not a single server, there are multiple exploits, [and the e-mail] has no attachments. This will be very difficult to detect." Two days ago, a Symantec honeypot captured a similar Web site-hosted attack that had an arsenal of exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running Microsoft's Internet Explorer (IE) or Mozilla Corp.'s Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spit out a QuickTime exploit."

- http://www.us-cert.g...variant_spreads
June 29, 2007

:eek: :eek:

Edited by apluswebmaster, 29 June 2007 - 01:24 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 30 June 2007 - 06:40 PM

FYI...

- http://asert.arborne...stcard-malware/
June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."


(*Diagram shown at the URL above.)


.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 02 July 2007 - 10:49 AM

"...Variations:

Other subject lines used with this message include the following:

You've received a greeting card from a school-mate!
You've received a greeting ecard from a class mate!
You've received a greeting ecard from a neighbour!
You've received a greeting postcard from a partner!
You've received a greeting postcard from a worshipper!
You've received a postcard from a family member!
You've received a postcard from a neighbour!
You've received a postcard from a worshipper!
You've received an ecard from a colleague! ..."

- http://www.snopes.co...us/postcard.asp
Last updated: 1 July 2007

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 03 July 2007 - 02:56 PM

Again:

Storm worm with 4th of July subject lines
- http://isc.sans.org/...ml?storyid=3090
Last Updated: 2007-07-03 19:48:30 UTC ...(Version: 2) ~ "We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far...

Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th ."

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 04 July 2007 - 10:35 AM

More:

- http://www.f-secure....7.html#00001224
July 4, 2007 ~ "...Using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link... They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them... What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded..."

(Screenshots available at the URL above.)


.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 09 July 2007 - 06:06 AM

FYI...

The ever morphing Storm
- http://isc.sans.org/...ml?storyid=3117
Last Updated: 2007-07-09 03:01:00 UTC - "Readers has been reporting emails with subjects such as:
* Spyware Detected!
* Malware Alert!
* Virus Detected!
The Storm virus from the last week or so (greeting cards) has morphed into this new version. Nothing new, the texts has changed somewhat and the subject line is different. By en large it is still the same attempt to get people to download an exe file. Auscert* has put out an alert on this as there have been an increase of these messages in the region.
As per usual discourage users from blindly clicking links in emails. Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home. Blocking downloads of exe files is also a good start..."
* http://www.auscert.o...er.html?it=7813

New fake patch malicious code run
- http://www.websense....php?AlertID=786
July 09, 2007

.

Edited by apluswebmaster, 09 July 2007 - 09:59 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 09 July 2007 - 08:24 AM

More...

Fake alert emails
- http://www.f-secure....7.html#00001226
July 9, 2007 - "The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious. Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as Packed.Win32.Tibs.ab."

(Screenshot available at the URL above.)


.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 25 July 2007 - 03:51 PM

FYI...

- http://www.informati...cleID=201200849
July 24, 2007 - "The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they've seen in two years. "We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level." Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails -- 99% of them associated with the Storm worm..."
> http://www.postini.com/stats/

:shock:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 03 August 2007 - 07:53 AM

FYI...

- http://www.informati...cleID=201202711
Aug 2, 2007 - "As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it. Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm... Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million..."

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 10 August 2007 - 07:19 AM

FYI...

- http://www.informati...cleID=201311245
Aug. 9, 2007 - "...Researchers at SecureWorks discovered late Wednesday that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages... Jackson said he spotted two malicious Web sites that have the Storm attack malware embedded in them. One site was set up specifically for malicious purposes, while the second is a legitimate site that attackers hacked into and infected. The legitimate site is a community forum for fans of Apple's Mac computers. Oddly enough, the malware doesn't affect the Mac - only Microsoft's Windows platform, and specifically the Internet Explorer browser..."

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 14 August 2007 - 01:54 PM

FYI...

- http://www.websense....php?AlertID=792
August 14, 2007 - "...new Storm Trojan tactics being used within emails. The new emails are using the Subject: "Greeting Card Victim" and contain the following:
> Email Body:
Class-mate(enter name) has created Greeting card for you victim at christianet.com. To see your custom Greeting card, simply click on the following link: http:// <stripped>
Send a FREE greeting card from christianet.com whenever you want by visiting us at: This service is provided and hosted by christianet.com.
> End of Email Body
Just like previous attacks, the URLs point to a compromised machine that is hosting the BOT -and- an HTTP proxy. The same exploit code attempts to run the file without user intervention; however, the file name has changed to msdataaccess.exe..."

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 18 August 2007 - 12:33 PM

FYI...

- http://www.f-secure....7.html#00001253
August 18, 2007 - "Last Wednesday we blogged* about the changing tactics being used by the Zhelatin / Storm Worm gang and their "eCard for you" -themed malware spam. The tactics are changing again. The malicious websites haven't changed; they still spread malicious msdataaccess.exe files. However, the emails no longer talk about ecards..."

* http://www.f-secure....7.html#00001249


(Screenshots available at both URLs above.)


.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 21 August 2007 - 07:04 AM

FYI...

New filename for Storm Trojan/Bot
- http://www.websense.....php?BlogID=140
Aug 20 2007 - "The Storm Trojan / Bot continues to spread like wildfire. The latest version has a variety of subjects and email bodies but now uses the filename applet.exe.
> Email copy sample:
Greetings,
Here is your membership info for Downloader Heaven.
Member Number: 2259948423
Temorary Login: user6278
Temp Password ID: gr272
Please Change your login and change your Login Information.
Follow this link, or paste it in your browser: http: //...
Welcome,
Technical Services
Downloader Heaven..."

- http://isc.sans.org/...ml?storyid=3298
Last Updated: 2007-08-21 ...(Version: 3) - "Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
> Subject: Login Information
'Dear Member,
Are you ready to have fun at CoolPics.
Account Number: 73422529174753
Your Temp. Login ID: user3559
Temorary Password: jz438
Please Change your login and change your Login Information.
This link will allow you to securely change your login info: http: //...
Thank You,
New Member Technical Support
CoolPics...'
I have seen about a dozen different once so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download. In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links). My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)..."

.

Edited by apluswebmaster, 21 August 2007 - 07:06 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 25 August 2007 - 04:24 PM

FYI...

Malicious Website/Code: Storm adds YouTube lures
- http://www.websense....php?AlertID=799
August 25, 2007 - "The Storm Trojan / Bot continues to spread and is now using a YouTube video to lure users. The latest version has a variety of subjects and email bodies but now uses the filename video.exe.
Email subject example: Sheesh man what are you thinkin.
Upon connecting to the URL, which is referenced as a YouTube link but is actually a Storm IP, the same exploit code used in past attacks attempts to run. As in the past if users are not vulnerable they will get a page displayed that requests they run the code manually..."

(Screenshot available at the URL above.)

- http://www.websense.....php?BlogID=141
"...Conclusion: The Storm attack is something we can expect more of in the future. It is an organized, sophisticated, well planned out and resilient attack that has infected millions of machines around the world. The techniques use a combination of attack vectors including; DNS, Web, P2P, encryption, and several evasion techniques. This not only highlights the need for deploying sophisticated counter measures to mitigate your companies risks, but also shows the need for more collaborative efforts across borders with law enforcement, ISP’s, and other folks moving forward."

Also see: http://isc.sans.org/...ml?storyid=3321
Last Updated: 2007-08-25 21:00:55 UTC ...(Version: 2)

.

Edited by apluswebmaster, 25 August 2007 - 04:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 30 August 2007 - 08:32 AM

FYI...

- http://www.theregist...m_hits_blogger/
29 August 2007 - "...By now, anyone who doesn't live under a rock is familiar with the spam messages bearing subjects such as "Dude what if your wife finds this" and "Sheesh man what are you thinkin" and including a link to a supposed YouTube video. Recipients foolish enough to click on the link are taken to an infected computer that tries to make their machine part of a botnet. Now Storm Worm, the malware responsible for those messages, has overrun Google-owned Blogger. According to one search, some 424 Blogger sites have been infected..."

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 31 August 2007 - 09:57 AM

FYI...

More Peacomm Tactic Changes
- http://atlas.arbor.n...index#-24164615
Severity: Elevated Severity
Published: Thursday, August 30, 2007 10:36
"This week has seen additional Peacomm malware lure changes. Emails have now been appearing that encourage users to view YouTube videos, download beta software, and to try out new software. All of these are methods that the Peacomm authors are using to attract new victims. At last count we have seen some estimates between 1 million and 10 million or more infected computers. This is a staggering number of infected machines and we are working with others to combat this problem.
Analysis: We have been monitoring the changes in the lure tactics of the Peacomm worm, and have seen them change more frequently as of late. We are not certain what the next change will be, but we anticipate it will happen soon."

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 06 September 2007 - 03:03 PM

FYI...

- http://www.f-secure....7.html#00001272
September 6, 2007 - "A new round of storm worm attacks are playing on people's paranoia against being watched online. This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake... Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL. Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet."

(Screenshot available at the URL above.)

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 08 September 2007 - 05:08 PM

FYI...

Stormworm Tactics Change to Football Fungus
- http://www.disog.org/
September 08, 2007 - "...Starting about 13:50 GMT ...noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:
2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1
Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering... Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages."

(Screenshot available at the URL above.)

Per: http://isc.sans.org/...ml?storyid=3361
=================================

Also: http://www.f-secure....7.html#00001273
September 9, 2007 - "...To become infected you have to click on one of the links or on the picture (they all point to the same file – tracker.exe) and run the file. Still, this can change at any moment so don't click on any links you receive in these e-mails."

(More screenshots available at the the F-secure URL above.)

.

Edited by apluswebmaster, 10 September 2007 - 07:59 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 16 September 2007 - 10:07 AM

FYI...

- http://www.f-secure....7.html#00001277
September 16, 2007 - "The latest tactic from Storm Worm: e-mails with links to a fake gaming site... All the links from these pages point to ArcadeWorld.exe – detected by us now as Zhelatin.JP."

(Screenshot available at the URL above.)


.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 24 September 2007 - 05:48 AM

FYI...

More cards...
- http://www.f-secure....7.html#00001280
September 24, 2007 - "There are a high number of reports for Trojan-Downloader.Win32.Banload.DRS today... This time the bad guys have once again returned to the (e-mail) attachment name of card.exe... The subject lines are recycled as well:
Hot pictures
Hot game
Here is it
You ask me about this game, Here is it
Something hot ..."

(Table shown at the URL above.)

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 25 September 2007 - 01:36 PM

FYI...

- http://asert.arborne...9/todays-radar/
September 21, 2007 - "...Storm Worm numbers after reading Storm Drain*, from the Microsoft Anti-Malware Engineering Team blog. Several people, myself included, had put size estimates in the millions of hosts. Microsoft’s numbers suggest far, far fewer, on the order of hundreds of thousands. People tell me they have seen a decrease in the number of DDoS attacks from Storm, and also I have seen a slowing of the email lures in the past week and a half. It looks like the MSRT is having an effect. Some people estimate half, some about 25%, but overall a real decrease..."
* http://blogs.technet...torm-drain.aspx

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 28 September 2007 - 02:17 PM

FYI...

Stormy Skies
- http://asert.arborne...9/stormy-skies/
September 27th, 2007 - "A couple of third-party reports on the Storm Worm (aka Peacomm, aka Nuwar, aka Tibs, aka Zheltin, aka CME-711).
1. The first is a detailed binary analysis of the malcode involved in the Storm Worm from Frank Boldewin. This is one of the only such analysis made public that I have seen; everyone else has theirs privately kept:
'It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.'
(From: http://www.reconstru..... nutshell.zip
[ZIP], by Frank Boldewin.)
2. Second up is a great timeline of the Storm Worm lures, specifically the ones to lure you to the website and get infected via malicious HTML (it the setSlice() vuln). Unfortunately it does not cover the spammed EXEs that appeared in the Winter of 2007, it just covers the “e-card” and beyond timeframe. It also doesn’t cover any changes in the website HTML or exploits. Still, this is the first such compendium of this data I’ve seen shared publicly. I made a smaller one on a private list one night, but without so much data or detail.
3. A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider “NFL” spam to be one instance of the Storm attack, and “ArcadeWorld” another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology."
(From: http://www.websense.....php?BlogID=147 Websense Security Lab blog)

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 10 October 2007 - 08:47 AM

FYI...

YouTube feature exploited to send spam
- http://www.sophos.co...utube-spam.html
5 October 2007 - "...Spam emails seen by Sophos claim to come from the email address service @ youtube .com, and attempt to lure users into visiting dating websites or offering prizes of the recently released Halo 3 arcade game for the XBOX 360 console. By putting their spam message in the 'comments' section of the 'invite-a-friend' facility on YouTube, hackers have been able to hijack the website for the purposes of sending unsolicited email..."

- http://www.news.com/...g=st.util.print
Oct 10, 2007 - "...Spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account. The scam on Google's video-sharing site is targeting Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm trojan..."

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 12 October 2007 - 06:57 AM

FYI...

Malicious Website/Code: New Storm tactic: Kitty Greeting Card
- http://www.websense....php?AlertID=807
October 11, 2007 - "Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks... This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe ." This file contains the Storm payload code..."

(Screenshot available at the URL above.)

Also:
- http://www.f-secure....s/00001291.html
October 12, 2007

Edited by apluswebmaster, 12 October 2007 - 07:04 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 16 October 2007 - 06:43 AM

FYI...

The Changing Storm
- http://www.securewor...changing-storm/
October 15, 2007 by Joe Stewart - "The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that’s the case, we might see a lot more of Storm in the future. The good news is, since we can now distinguish this new Storm traffic from “legitimate” (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!). Matt Jonkman over at Bleedingthreats.net has written some signatures* to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occuring over a certain threshold. Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.*"

* http://www.bleedingt...-storm-traffic/

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#27 TeMerc

TeMerc

    Countermeasures Team Leader

  • Ambassador
  • PipPipPipPipPip
  • 1,025 posts

Posted 16 October 2007 - 10:22 PM

This is gonna get ugly....fast.

The encryption is trivial and isn't the only new thing found in this variant. It seems to have some new techniques for propagation. Firstly, it is able to scan the file system and drop an executable into any folder with at least one .exe file. Secondly, the worm is able to harvest email addresses from the file system and send spam to those addresses. Lastly, it is able to search for .htm, .html, and .php files and inject malicious IFRAME code into them. We believe that this part of the worm is still under development due to the buggy nature of the code we are seeing. The IFRAME tag isn't hard coded. We suspect this information must be coming from the P2P C&C.

We were able to use our favorite search engine to look for one of the known tags within the IFRAME and we saw some sites that were already infected. These sites each lead us to a fast-flux domain of the Storm worm. Considering how much this worm has evolved and where it is at currently, I think its time for us to escalate this worm to hurricane category.

Symantec Security Response Blog

#28 TeMerc

TeMerc

    Countermeasures Team Leader

  • Ambassador
  • PipPipPipPipPip
  • 1,025 posts

Posted 17 October 2007 - 01:32 PM

The storm update has finally come, with the most recent page offering the latest in peer to peer sharing technology.
The page advertises a p2p application called Krakin, which, among other things is said to be:

Easy to install, prevents tracking, has blogs and chat platforms, and video mail.

The download link points to krakin.exe, which is a p2p client - a p2p botnet client. The page isn't lacking the MPACK javascript either. I expect this page will stick around awhile. It looks very professional. I expect the blogger spam will pick up with this run.

DSOG Blog w\Screen Shot

#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 17 October 2007 - 01:58 PM

More references, same stuff:

New Storm Tactic: Krackin Software
- http://www.websense....php?AlertID=808
October 17, 2007

(Screenshot available at the URL above.)

- http://www.f-secure....s/00001296.html
October 17, 2007 - "...a mere visit to the site using an unpatched system will trigger an exploit to automatically download and execute a malicious file. Patched systems are protected but only if the users do not choose to download the file (with filename krackin.exe) and execute it themselves. The webpage is detected as Trojan-Downloader.JS.Agent.KD while the file is detected as Email-Worm.Win32.Zhelatin.KE. This is one network you wouldn't want to join, so make sure to keep your databases updated."

Edited by apluswebmaster, 18 October 2007 - 07:36 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 25 October 2007 - 05:38 AM

FYI...

- http://www.networkwo...m-security.html
10/24/07 - "...Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days... As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm’s botnet..."

> http://www.theregist..._worm_backlash/

:ph34r: :eek:

Edited by apluswebmaster, 25 October 2007 - 01:46 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 31 October 2007 - 05:23 AM

FYI...

- http://www.websense....php?AlertID=814
October 30, 2007 - "Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email:

Example Subject: Nothing is funnier this Halloween

Example Body:
Come watch the little skeleton dance.
http : // <URL Removed> /..."

(Screenshot available at the URL above.)

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 31 October 2007 - 01:31 PM

FYI...

Warezov Domains on All Hallows Eve
- http://www.f-secure....s/00001306.html
October 31, 2007 - "Storm seems to have seized the Warezov gang's mojo. They just don't make as much noise as they once did... Using his "patented" data mining techniques, Toni turned up 2039 domains connected to the Warezov gang as of 12:00 today. Of those, 810 domains resolved as a fast flux*. 1229 do not currently resolve. They're dead. (Or are they undead?) These domains are used for both malware downloads and for pushing spam. The next step is to get them taken down. No small task that.

Download the Lists:
Domains — 2039 ( http://www.f-secure....zov_Domains.txt )
Fast Fluxes — 810 ( http://www.f-secure....ains_Online.txt )
Undead — 1229 ( http://www.f-secure....ins_Offline.txt ) ..."

* http://en.wikipedia.org/wiki/Fast_flux

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 02 November 2007 - 02:33 AM

FYI...

Storm Worm Changes Course
- http://preview.tinyurl.com/2mvsqs
November 1, 2007 - (Symantec Security Response Weblog) - "The authors of the Storm worm (also know as Trojan.Peacomm) have shown an uncanny knack of changing or shedding key components of the threat in order to enhance its persistence and spread. This week saw the latest incarnation of the threat, Trojan.Peacomm.D, reveal itself as halloween.exe or sony.exe. What is most interesting about this latest variant of the Storm worm is that its authors have removed some key functionality that was present in the previous variant, Trojan.Peacomm.C. Specifically, the threat no longer;
1. infects other legitimate drivers on the system. Previous variants infected drivers such as Tcpip.sys and Kbdclass.sys. This was a stealth-like feature used by the threat to start early with the operating system and without loading points in the Windows Registry.
2. injects itself into legitimate processes like Explorer.exe and Services.exe.
Instead the threat now relies less on legitimate components on the operating system and has new proprietary components to do its dirty work. The driver associated with the latest variant, noskrnl.sys, works hand in hand with the user mode noskrnl.exe to provide the same stealth-like capabilities that involved more components, both illegitimate and legitimate, in the past... In terms of the latest variant, both holloween.exe and sony.exe are detected as Trojan.Packed.13 and the low level driver component, noskrnl.sys, is detected as Trojan.Peacomm.D*..."

* http://www.symantec....-041222-3056-99

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 14 November 2007 - 05:59 PM

FYI...

Storm Worm Victims Get Stock Spam Pop-Up
- http://preview.tinyurl.com/3dlq5l
November 13, 2007 - Brian Krebs - "If you're a Windows users and today received a surprise pop-up advertisement urging you to invest in an obscure penny stock, it is highly likely that your computer is infected with the virulent Storm worm, a nasty intruder that currently resides on an estimated 200,000 PCs worldwide. Criminal groups that control the pool of Storm-infected computers have traditionally used those systems to pump out junk e-mail ads touting thinly traded penny stocks as part of an elaborate and ongoing series of "pump-and-dump" schemes. But today, according to security researchers, the Storm worm authors went a step further by causing a pop-up ad for a particular penny stock to be shown on all infected machines. Atlanta-based SecureWorks* tracked the latest Storm activity, which began earlier this morning..."

Are You Infected With Storm?
* http://preview.tinyurl.com/2jqgn3
November 13, 2007 by Joe Stewart - (Secureworks) - "If you saw the following browser window pop up on your desktop today for no apparent reason, you are..."
(Screenshot available at the SecureWorks URL above.)

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 15 November 2007 - 10:44 AM

FYI...

Storm Brews Over Geocities
- http://blog.trendmic...over-geocities/
November 15th, 2007 - "...There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets... The links contained within the said messages point to various accounts created under the popular Yahoo!-managed Geocities site. However, what appears to be links to personal Web sites hosted on Geocities are actually URLs that redirect... user is coaxed into downloading an “iPix plug-in” (from http: // {BLOCKED}.{BLOCKED}.238.36/ iPIX-install.exe). Unfortunately, the iPix plug-in, which Trend Micro detects as TROJ_ZBOT.BJ, downloads more malicious files..."

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 29 November 2007 - 08:33 AM

FYI...

- http://www.securityp...mp;Categoryid=1
29/11/2007 - "A copycat spam gang has developed a botnet that is currently responsible for more than 20 per cent of all spam in circulation, according to Marshal’s threat research TRACE Team. The botnet now has the ability to distribute similar amounts of spam as the notorious Storm botnet. Marshal has touted the spammers responsible for this botnet the “Celebrity Spam Gang”, owing to their fondness for using celebrity names in their spam. The Celebrity Gang has been building up their botnet since August 2006. They have managed this by spamming out messages with malware attachments that commonly feature subject lines about nude celebrities like Angelina Jolie and Britney Spears but have also promised free games and Windows Security Updates..."
- http://www.marshal.c...asp?article=421

:evilgrin:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 24 December 2007 - 05:41 AM

FYI...

Anticipated Storm-Bot Attack Begins
- http://isc.sans.org/...ml?storyid=3778
Last Updated: 2007-12-24 03:41:39 UTC
"Overview and Blocking Information
Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a Christmas-themed stripshow directing victims to merrychristmasdude .com.

The message comes in with a number of subjects:
Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

The body is something similar to:

do you have a min?
This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these...

hxxp: // merry christmasdude .com / ...
Recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.

Under The Hood
The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes. Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control."

More... screenshot available here:
- http://www.disog.org...-christmas.html

and another ref:
- http://asert.arborne...m-is-back-dude/

:evilgrin:

Edited by apluswebmaster, 24 December 2007 - 05:54 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 24 December 2007 - 01:51 PM

Updated:

- http://isc.sans.org/...ml?storyid=3778
Last Updated: 2007-12-24 13:11:38 UTC ...(Version: 3)
"...nice and tidy analysis available at: http://holisticinfos...w-analysis.html
...There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes. User awareness, as always, is your strongest defense. Cheers and happy holidays, except for you RBN a$$h0735."

- http://www.f-secure....s/00001349.html
December 24, 2007 - "...The IP address of the site changes every second. We also already detect it earlier as Email-Worm.Win32.Zhelatin.pd ...Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!"
(Screenshot available at the F-secure URL above.)

.

Edited by apluswebmaster, 24 December 2007 - 02:14 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 26 December 2007 - 06:59 AM

FYI...

Happy New Years .... from the Storm Worm
- http://isc.sans.org/...ml?storyid=3784
Last Updated: 2007-12-25 19:36:34 UTC ...(Version: 3) - "Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information
Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card... The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.

Seen So Far:
A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Update 1:
Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You...

>>> We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.
Under The Hood
As with 'merry christmas dude.com', this domain appears to be registered through nic.ru. It also appears to be hosted on the same fast-flux network, now with at least 8000 nodes.
If you go to that web site, currently the malware file is 'happy2008.exe'. We will add more analysis details throughout the day as we get them.
Update... blog entry from the other day with information about the newest Storm Worm. His blog posting is available at http://holisticinfos...rm-deja-vu.html ..."

:grrr: :ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 26 December 2007 - 05:37 PM

FYI...

- http://isc.sans.org/...ml?storyid=3784
Last Updated: 2007-12-26 18:16:43 UTC ...(Version: 4)
"Update...
Shortly before 1500 GMT 26-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread. The email messages now refer to the URL http: // happy cards 2008 . com (spaces added) and the file to be downloaded is 'happy-2008.exe'."

:evilgrin:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 27 December 2007 - 09:11 AM

FYI...

- http://asert.arborne...8-new-campaign/
December 27, 2007 - "...The filenames were “happy2008.exe”, “happy-2008.exe”, and now “happynewyear.exe”... Again, fast flux DNS (TTLs set to 0 seconds, lots of IPs being cycled in there, nameservers also fast fluxing in the network), open resolver, etc... Be wary of random e-cards from people you’ve never heard of, stay updated with AV, don’t run as administrator, etc..."

- http://isc.sans.org/...ml?storyid=3784
Last Updated: 2007-12-27 13:39:26 UTC ...(Version: 5)
"Update: ...shortly before 0700 GMT 27-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread yet again. The email messages now refer to the URL http: // new year cards 2008 . com (spaces added) and the file to be downloaded is 'happynewyear.exe'. As with the previous URLs and filename, we recommend applying filters blocks on the domain for both incoming email and outbound web traffic."

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 27 December 2007 - 02:27 PM

More...

Storm switches tactics third time, adds rootkit
- http://preview.tinyurl.com/yqt7q4
December 27, 2007 (Computerworld) - "...The file being shilled today is tagged to "happynewyear.exe." More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx and an independent security researcher named Russ McRee have posted analyses of Storm's cloaking attempt. [Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?)," said McRee on his HolisticInfoSec Web site*. "No more hanging out in the open, easily seen"..."
* http://holisticinfos...orm-part-3.html

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 28 December 2007 - 03:12 PM

Add another domain:
- http://blogs.pcmag.c...my_new_year.php
December 28, 2007 - "...Consider the following unsolicited e-mail:
From: ccs@gotapco.com
Sent: Friday, December 28, 2007
To: Larry Seltzer
Subject: Happy 2008!
Wishes for the New 2008 Year
hxxp: // newyearwithlove .com
DON'T GO TO THAT DOMAIN! If you do, or to one of several others with similar names, you'll be redirected to an HTTP request for an EXE file pushing a trojan horse program. The domains are all registered with an unresponsive Russian registrar. Thirteen different name servers on different networks are listed as authoritative in order to make it harder to bring the domain down. Even more may be added, if necessary, to keep the domain up..."
---------------------------

- http://preview.tinyurl.com/yud8re
December 27, 2007 (Computerworld) - "...According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domain is a "Bill Gudzon" of Los Angeles, Calif., but the contact phone number gave only a constant busy signal. Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said Giuliani*, has already detected more than 400 variants of the version now in circulation."
* http://www.prevx.com...hird-round.html

:ph34r:

Edited by apluswebmaster, 28 December 2007 - 05:41 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#44 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 31 December 2007 - 04:48 PM

FYI...

Is a New Year's Storm a’brewin?
- http://preview.tinyurl.com/3apa67
December 31, 2007 10:40 AM (Symantec Security Response Weblog) - "...The Peacomm gang doesn’t seem content with their recent spam run and have launched a new one. Symantec is currently observing a spam run to celebrate New Years, 2008... Contained in the email is a URL to one of several possible Web sites. What is interesting is the number of recently registered domains involved in this spam run. It looks like another Clause family member- “Larry Clause”- has been very busy over the past few days, registering a number of domains with NIC.RU to aid the spam run. So far we have observed the following sites all involved in the spam run with most being registered to a Larry Clause:
• familypostcards2008.com
• freshcards2008.com
• happy2008toyou.com
• happycards2008.com
• happysantacards.com
• hellosanta2008.com
• hohoho2008.com
• newyearcards2008.com
• newyearwithlove.com
• parentscards.com
• postcards-2008.com
• Santapcards.com
• Santawishes2008.com
If clicked on the user is presented with a plain page with the following text:
'Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!'

Their use of fast flux hosting on botnets makes it very difficult to stop the hosting of this risk... be very cautious of opening greeting cards, especially from people you do not know. Always keep your antivirus software up-to-date and follow safe computing practices..."

:evilgrin:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#45 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 03 January 2008 - 11:18 AM

Updates...

Active Storm Worm Domains - Christmas, New Year’s Campaign
- http://preview.tinyurl.com/2ueud4
January 2, 2008 (Arbornetworks) - "Based on a bunch of sources:
familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
merrychristmasdude.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
santapcards.com
santawishes2008.com
uhavepostcard.com

All of these are worth blocking by DNS methods (become the local SOA, NXDOMAIN them) and looking for in your emails (look for a simple URL with those domain names near the end of a very short email)...
UPDATE: Added parentscards.com, which is now in use."

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#46 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 04 January 2008 - 08:54 AM

FYI...

Storm Social-Engineering Manages a >200% Increase in Size
- http://preview.tinyurl.com/3cj8m3
January 3, 2008 (TrendMicro blog) - "...The good folks over at the German HoneyNet Project* have some interesting statistics which indicate that, due to renewed efforts over the course of the Christmas and New Year’s holiday, the puppet masters controlling the Storm Botnet managed to increase the Storm Botnet size by more than 200%... given that the newest iterations of Storm includes (and revolves around) a new promulgation of a rootkit component**, it can be somewhat difficult to ascertain specific detection numbers... Social engineering continues to be a major, major threat vector..."

* http://honeyblog.org...Storm-Worm.html

** http://blog.trendmic...-for-christmas/

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#47 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 09 January 2008 - 04:33 PM

FYI...

Phishing from the Storm Botnet
- http://www.f-secure....s/00001359.html
January 9, 2008 - "Last night there was a phishing run using the domain i-halifax.com. The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet. Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar: Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm. So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before. But we've been expecting something along these lines. From our end-of-year Data Security Wrap-up:
'October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet.'
This may be what's happening now."
(Screenshots available at the URL above.)

- http://www.fortiguar...GA-2008-02.html
2008.January.07 - "...As of writing, the phishing run is targeting Barclays customers. All of the emails have a similar body..., and display a typical social engineering speech directed towards users who have a moderate level of awareness. These users are ones who may have heard online banking is subject to some fraudulent computer attacks, but cannot identify one. Phishers often use this social engineering approach for 3 reasons:
1. A security check is a good pretext to ask people to log in to their account
2. The "fear factor" carried by a a security check is a strong incentive for people to actually carry forward
3. Users may feel that since it is a security check, it cannot be an attack the email is referring to ..."
UPDATES: As of 16:00 January 7, 2008 the notified registrar appears to have taken action as the fraudulent Barclays domain in question (linked to by the phishing emails) no longer responds to queries. As of January 8, 2008 new emails emanating from the Storm botnet have been observed by the Fortinet Global Security Research Team which use the same social and domain engineering, however target a different bank: Halifax. This is a precursor that other banks may be targeted as well..."
(Screenshots available at the Fortinet URL above.)

- http://blog.trendmic...twist-phishing/
January 8, 2008 - "...several domains which where only registered yesterday “popped up” on our internal early warning systems overnight, and surprisingly enough, we started seeing these hosts serving up phishing pages (partial screenshot of Royal Bank of Scotland phish above) today. Another interesting aspect of this turn of events is that these hosts are part of the Storm fast-flux botnet, and we detected them while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities. We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers..."

-----------------------

Hmmm... (later in the day)
Stormy Skies - Clearing?
- http://asert.arborne...skies-clearing/
January 9th, 2008 - "Seems like NIC.RU has been cleaning house a bit. The recent Storm worm domains appear to have all been cleared up. This domain appears to be dead in both the whois records - it says the domain is locked - and DNS databases.

UPDATED: a short while after it was originally posted to note that -all- domains are dead, not just one or two."

?

Edited by apluswebmaster, 10 January 2008 - 06:07 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#48 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 15 January 2008 - 10:41 PM

FYI...

Malicious Code: New Storm Tactic: Valentine's Day
- http://www.websense....php?AlertID=838
January 15, 2008 - "Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code... As with previous Storm emails, various subjects and bodies will be used... 3 different email lures containing 3 different subject lines and message..."

- http://www.f-secure....s/00001363.html
January 15, 2008 - "Yet another wave of the Storm worm are now being spammed widely and this time it's all about love. They were late for Christmas, just in time for new year and really early for Valentine. The filename being downloaded now is withlove.exe..."

- http://asert.arborne...ines-day-theme/
January 15th, 2008 - "...inspection reveals it’s a pointer to a storm node...
Subject lines seen so far:
* A Toast My Love
* Your Love Has Opened
* Sending You My Love ..."

(Screenshots available at all URLs above.)

:ph34r:

Edited by apluswebmaster, 16 January 2008 - 06:34 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#49 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 16 January 2008 - 06:32 AM

FYI...

- http://isc.sans.org/...ml?storyid=3855
Last Updated: 2008-01-16 10:26:18 UTC - "...The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address... only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works..."

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#50 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,564 posts

Posted 16 January 2008 - 12:38 PM

FYI... (current "Subject" and attachment list - Storm e-mail SPAM list)

- http://preview.tinyurl.com/2r6gma
January 16, 2008 (Symantec Security Response Weblog) - "...The subjects and bodies we have seen so far include the following (many are recycled from the Storm worm's 2007 Valentine's Day campaign):

• A Dream is a Wish • A Is For Attitude • A Kiss So Gentle • A Rose
• A Rose for My Love • A Toast My Love • Come Dance with Me
• Come Relax with Me • Dream of You • Eternal Love
• Eternity of Your Love • Falling In Love with You • For You....My Love
• Heavenly Love • Hugging My Pillow • I Love You Because
• I Love You Soo Much • I Love You with All I Am • I Would Dream
• If Loving You • In Your Arms • Inside My Heart • Love Remains
• Memories of You|A Token of My Love • Miracle of Love
• Our Love is Free • Our Love Nest • Our Love Will Last
• Pages from My Heart • Path We Share • Sending You All My Love
• Sending You My Love • Sent with Love • Special Romance
• Surrounded by Love • The Dance of Love • The Mood for Love
• The Time for Love • When Love Comes Knocking • When You Fall in Love
• Why I Love You • Words in my Heart • Wrapped in Your Arms
• You... In My Dreams • Your Friend and Lover • Your Love Has Opened
• You're my Dream

Attachment Name:
• withlove.exe
• with_love.exe ..."

:evilgrin:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button