FYI...

- http://isc.sans.org/diary.html?storyid=3063
Last Updated: 2007-06-28 23:33:56 UTC ~ "...There is a new round of emails with malicious links that is making its way to the inbox of many folks. If you haven't gotten one yet, just give it time. Here is quick summary of what we have found. The subject line that we have gotten examples of have all been identical. You may have gotten something else.

"Subject: You've received a postcard from a family member!" ...

The ecard numbers in the URL above are variable across SPAM samples.
There are 3 exploits available and they are tried in order.

The first one is for QuickTime.
If that fails a Winzip exploit is attempted
If that fails, the "hail mary" is the WebViewFolderIcon exploit...

Here are a few more of the malware hosting servers they've relied on in recent months in addition to the HopOne and Softlayer host above:
27645 | 205.209.179.15 | 205.209.128.0/18 | US | arin | ASN-NA-MSG-01 - Managed Solutions Group, Inc
27595 | 216.255.189.214 | 216.255.176.0/20 | US | arin | INTERCAGE - InterCage, Inc
14361 | 66.148.74.7 | 66.148.64.0/19 | US | arin | HOPONE-DCA - HopOne Internet Corporation
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc
36351 | 75.126.226.224 | 75.126.0.0/16 | US | arin | SOFTLAYER - SoftLayer Technologies Inc..."




This post has been edited by AplusWebMaster: Oct 12 2007, 07:25 PM

FYI...

- http://preview.tinyurl.com/2g58ud
June 28, 2007 (Computerworld) - "..."This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president at Aladdin Knowledge Systems Inc., a security company known for its eSafe antivirus software. "There's not a single server, there are multiple exploits, [and the e-mail] has no attachments. This will be very difficult to detect." Two days ago, a Symantec honeypot captured a similar Web site-hosted attack that had an arsenal of exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running Microsoft's Internet Explorer (IE) or Mozilla Corp.'s Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spit out a QuickTime exploit."

- http://www.us-cert.gov/current/archive/200...variant_spreads
June 29, 2007



This post has been edited by AplusWebMaster: Oct 12 2007, 07:28 PM

FYI...

- http://asert.arbornetworks.com/2007/06/you...stcard-malware/
June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."


(*Diagram shown at the URL above.)


.

"...Variations:

Other subject lines used with this message include the following:

You've received a greeting card from a school-mate!
You've received a greeting ecard from a class mate!
You've received a greeting ecard from a neighbour!
You've received a greeting postcard from a partner!
You've received a greeting postcard from a worshipper!
You've received a postcard from a family member!
You've received a postcard from a neighbour!
You've received a postcard from a worshipper!
You've received an ecard from a colleague! ..."

- http://www.snopes.com/computer/virus/postcard.asp
Last updated: 1 July 2007

Again:

Storm worm with 4th of July subject lines
- http://isc.sans.org/diary.html?storyid=3090
Last Updated: 2007-07-03 19:48:30 UTC ...(Version: 2) ~ "We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far...

Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th ."

More:

- http://www.f-secure.com/weblog/archives/ar...7.html#00001224
July 4, 2007 ~ "...Using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link... They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them... What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded..."

(Screenshots available at the URL above.)


.

FYI...

The ever morphing Storm
- http://isc.sans.org/diary.html?storyid=3117
Last Updated: 2007-07-09 03:01:00 UTC - "Readers has been reporting emails with subjects such as:
* Spyware Detected!
* Malware Alert!
* Virus Detected!
The Storm virus from the last week or so (greeting cards) has morphed into this new version. Nothing new, the texts has changed somewhat and the subject line is different. By en large it is still the same attempt to get people to download an exe file. Auscert* has put out an alert on this as there have been an increase of these messages in the region.
As per usual discourage users from blindly clicking links in emails. Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home. Blocking downloads of exe files is also a good start..."

* http://www.auscert.org.au/render.html?it=7813

.

More...

Fake alert emails
- http://www.f-secure.com/weblog/archives/ar...7.html#00001226
July 9, 2007 - "The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious. Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as Packed.Win32.Tibs.ab."
(Screenshot available at the URL above.)

New fake patch malicious code run
- http://www.websense.com/securitylabs/alert...php?AlertID=786
July 09, 2007

.

This post has been edited by AplusWebMaster: Jul 9 2007, 09:03 AM

FYI...

- http://www.informationweek.com/shared/prin...cleID=201200849
July 24, 2007 - "The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they've seen in two years. "We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level." Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails -- 99% of them associated with the Storm worm..."
> http://www.postini.com/stats/

FYI...

- http://www.informationweek.com/shared/prin...cleID=201202711
Aug 2, 2007 - "As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it. Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm... Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million..."

FYI...

- http://www.informationweek.com/shared/prin...cleID=201311245
Aug. 9, 2007 - "...Researchers at SecureWorks discovered late Wednesday that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages... Jackson said he spotted two malicious Web sites that have the Storm attack malware embedded in them. One site was set up specifically for malicious purposes, while the second is a legitimate site that attackers hacked into and infected. The legitimate site is a community forum for fans of Apple's Mac computers. Oddly enough, the malware doesn't affect the Mac - only Microsoft's Windows platform, and specifically the Internet Explorer browser..."

.

FYI...

- http://www.websense.com/securitylabs/alert...php?AlertID=792
August 14, 2007 - "...new Storm Trojan tactics being used within emails. The new emails are using the Subject: "Greeting Card Victim" and contain the following:
> Email Body:
Class-mate(enter name) has created Greeting card for you victim at christianet.com. To see your custom Greeting card, simply click on the following link: http:// <stripped>
Send a FREE greeting card from christianet.com whenever you want by visiting us at: This service is provided and hosted by christianet.com.
> End of Email Body
Just like previous attacks, the URLs point to a compromised machine that is hosting the BOT -and- an HTTP proxy. The same exploit code attempts to run the file without user intervention; however, the file name has changed to msdataaccess.exe..."

.

FYI...

- http://www.f-secure.com/weblog/archives/ar...7.html#00001253
August 18, 2007 - "Last Wednesday we blogged* about the changing tactics being used by the Zhelatin / Storm Worm gang and their "eCard for you" -themed malware spam. The tactics are changing again. The malicious websites haven't changed; they still spread malicious msdataaccess.exe files. However, the emails no longer talk about ecards..."

* http://www.f-secure.com/weblog/archives/ar...7.html#00001249


(Screenshots available at both URLs above.)


.

FYI...

New filename for Storm Trojan/Bot
- http://www.websense.com/securitylabs/blog/....php?BlogID=140
Aug 20 2007 - "The Storm Trojan / Bot continues to spread like wildfire. The latest version has a variety of subjects and email bodies but now uses the filename applet.exe.
> Email copy sample:
Greetings,
Here is your membership info for Downloader Heaven.
Member Number: 2259948423
Temorary Login: user6278
Temp Password ID: gr272
Please Change your login and change your Login Information.
Follow this link, or paste it in your browser: http: //...
Welcome,
Technical Services
Downloader Heaven..."

- http://isc.sans.org/diary.html?storyid=3298
Last Updated: 2007-08-21 ...(Version: 3) - "Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
> Subject: Login Information
'Dear Member,
Are you ready to have fun at CoolPics.
Account Number: 73422529174753
Your Temp. Login ID: user3559
Temorary Password: jz438
Please Change your login and change your Login Information.
This link will allow you to securely change your login info: http: //...
Thank You,
New Member Technical Support
CoolPics...'
I have seen about a dozen different once so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download. In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links). My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)..."

.

FYI...

Malicious Website/Code: Storm adds YouTube lures
- http://www.websense.com/securitylabs/alert...php?AlertID=799
August 25, 2007 - "The Storm Trojan / Bot continues to spread and is now using a YouTube video to lure users. The latest version has a variety of subjects and email bodies but now uses the filename video.exe.
Email subject example: Sheesh man what are you thinkin.
Upon connecting to the URL, which is referenced as a YouTube link but is actually a Storm IP, the same exploit code used in past attacks attempts to run. As in the past if users are not vulnerable they will get a page displayed that requests they run the code manually..."

(Screenshot available at the URL above.)

- http://www.websense.com/securitylabs/blog/....php?BlogID=141
"...Conclusion: The Storm attack is something we can expect more of in the future. It is an organized, sophisticated, well planned out and resilient attack that has infected millions of machines around the world. The techniques use a combination of attack vectors including; DNS, Web, P2P, encryption, and several evasion techniques. This not only highlights the need for deploying sophisticated counter measures to mitigate your companies risks, but also shows the need for more collaborative efforts across borders with law enforcement, ISP’s, and other folks moving forward."

Also see: http://isc.sans.org/diary.html?storyid=3321
Last Updated: 2007-08-25 21:00:55 UTC ...(Version: 2)

.

This post has been edited by AplusWebMaster: Aug 25 2007, 03:45 PM