76 replies to this topic

[AplusWebMaster]

FYI...

- http://www.theregist...m_hits_blogger/
29 August 2007 - "...By now, anyone who doesn't live under a rock is familiar with the spam messages bearing subjects such as "Dude what if your wife finds this" and "Sheesh man what are you thinkin" and including a link to a supposed YouTube video. Recipients foolish enough to click on the link are taken to an infected computer that tries to make their machine part of a botnet. Now Storm Worm, the malware responsible for those messages, has overrun Google-owned Blogger. According to one search, some 424 Blogger sites have been infected..."

.

[AplusWebMaster]

FYI...

More Peacomm Tactic Changes
- http://atlas.arbor.n...index#-24164615
Severity: Elevated Severity
Published: Thursday, August 30, 2007 10:36
"This week has seen additional Peacomm malware lure changes. Emails have now been appearing that encourage users to view YouTube videos, download beta software, and to try out new software. All of these are methods that the Peacomm authors are using to attract new victims. At last count we have seen some estimates between 1 million and 10 million or more infected computers. This is a staggering number of infected machines and we are working with others to combat this problem.
Analysis: We have been monitoring the changes in the lure tactics of the Peacomm worm, and have seen them change more frequently as of late. We are not certain what the next change will be, but we anticipate it will happen soon."

.

[AplusWebMaster]

FYI...

- http://www.f-secure....7.html#00001272
September 6, 2007 - "A new round of storm worm attacks are playing on people's paranoia against being watched online. This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake... Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL. Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet."

(Screenshot available at the URL above.)

.

[AplusWebMaster]

FYI...

Stormworm Tactics Change to Football Fungus
- http://www.disog.org/
September 08, 2007 - "...Starting about 13:50 GMT ...noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:
2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1
Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering... Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages."

(Screenshot available at the URL above.)

Per: http://isc.sans.org/...ml?storyid=3361
-------------------------------------------------------------------------

Also: http://www.f-secure....7.html#00001273
September 9, 2007 - "...To become infected you have to click on one of the links or on the picture (they all point to the same file – tracker.exe) and run the file. Still, this can change at any moment so don't click on any links you receive in these e-mails."

(More screenshots available at the the F-secure URL above.)

.

Edited by AplusWebMaster, 10 September 2007 - 07:03 AM.

[AplusWebMaster]

FYI...

- http://www.f-secure....7.html#00001277
September 16, 2007 - "The latest tactic from Storm Worm: e-mails with links to a fake gaming site... All the links from these pages point to ArcadeWorld.exe – detected by us now as Zhelatin.JP."

(Screenshot available at the URL above.)


.

[AplusWebMaster]

FYI...

More cards...
- http://www.f-secure....7.html#00001280
September 24, 2007 - "There are a high number of reports for Trojan-Downloader.Win32.Banload.DRS today... This time the bad guys have once again returned to the (e-mail) attachment name of card.exe... The subject lines are recycled as well:
Hot pictures
Hot game
Here is it
You ask me about this game, Here is it
Something hot ..."

(Table shown at the URL above.)

.

[AplusWebMaster]

FYI...

- http://asert.arborne...9/todays-radar/
September 21, 2007 - "...Storm Worm numbers after reading Storm Drain*, from the Microsoft Anti-Malware Engineering Team blog. Several people, myself included, had put size estimates in the millions of hosts. Microsoft’s numbers suggest far, far fewer, on the order of hundreds of thousands. People tell me they have seen a decrease in the number of DDoS attacks from Storm, and also I have seen a slowing of the email lures in the past week and a half. It looks like the MSRT is having an effect. Some people estimate half, some about 25%, but overall a real decrease..."
* http://blogs.technet...torm-drain.aspx

.

[AplusWebMaster]

FYI...

Stormy Skies
- http://asert.arborne...9/stormy-skies/
September 27th, 2007 - "A couple of third-party reports on the Storm Worm (aka Peacomm, aka Nuwar, aka Tibs, aka Zheltin, aka CME-711).
1. The first is a detailed binary analysis of the malcode involved in the Storm Worm from Frank Boldewin. This is one of the only such analysis made public that I have seen; everyone else has theirs privately kept:
'It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.'
(From: http://www.reconstru..... nutshell.zip
[ZIP], by Frank Boldewin.)
2. Second up is a great timeline of the Storm Worm lures, specifically the ones to lure you to the website and get infected via malicious HTML (it the setSlice() vuln). Unfortunately it does not cover the spammed EXEs that appeared in the Winter of 2007, it just covers the “e-card” and beyond timeframe. It also doesn’t cover any changes in the website HTML or exploits. Still, this is the first such compendium of this data I’ve seen shared publicly. I made a smaller one on a private list one night, but without so much data or detail.
3. A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider “NFL” spam to be one instance of the Storm attack, and “ArcadeWorld” another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology."
(From: http://www.websense.....php?BlogID=147 Websense Security Lab blog)

.

[AplusWebMaster]

FYI...

YouTube feature exploited to send spam
- http://www.sophos.co...utube-spam.html
5 October 2007 - "...Spam emails seen by Sophos claim to come from the email address service @ youtube .com, and attempt to lure users into visiting dating websites or offering prizes of the recently released Halo 3 arcade game for the XBOX 360 console. By putting their spam message in the 'comments' section of the 'invite-a-friend' facility on YouTube, hackers have been able to hijack the website for the purposes of sending unsolicited email..."

- http://www.news.com/...g=st.util.print
Oct 10, 2007 - "...Spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account. The scam on Google's video-sharing site is targeting Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm trojan..."

[AplusWebMaster]

FYI...

Malicious Website/Code: New Storm tactic: Kitty Greeting Card
- http://www.websense....php?AlertID=807
October 11, 2007 - "Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks... This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe ." This file contains the Storm payload code..."

(Screenshot available at the URL above.)

Also:
- http://www.f-secure....s/00001291.html
October 12, 2007

Edited by AplusWebMaster, 12 October 2007 - 06:04 AM.

[AplusWebMaster]

FYI...

The Changing Storm
- http://www.securewor...changing-storm/
October 15, 2007 by Joe Stewart - "The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that’s the case, we might see a lot more of Storm in the future. The good news is, since we can now distinguish this new Storm traffic from “legitimate” (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!). Matt Jonkman over at Bleedingthreats.net has written some signatures* to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occuring over a certain threshold. Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.*"

* http://www.bleedingt...-storm-traffic/

.

[AplusWebMaster]

FYI...

New Storm Tactic: Krackin Software
- http://www.websense....php?AlertID=808
October 17, 2007 - "Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see ( http://www.websense.....php?BlogID=141 ).
This site poses as a new piece of software called "Krackin v1.2" and advertises:
* Easy to install
* Auto-Virus scanning
* Mobile Source Downloading
* IP Blocking to Prevent Tracking
* Unwanted User Blocking
Users with unpatched computers are automatically exploited. Users with patched computers are prompted to download and run a file called "kracking.exe" This file contains the Storm payload code..."

(Screenshot available at the URL above.)

More references - same stuff:
- http://www.disog.org...rty-krakin.html

- http://www.f-secure....s/00001296.html
October 17, 2007 - "...a mere visit to the site using an unpatched system will trigger an exploit to automatically download and execute a malicious file. Patched systems are protected but only if the users do not choose to download the file (with filename krackin.exe) and execute it themselves. The webpage is detected as Trojan-Downloader.JS.Agent.KD while the file is detected as Email-Worm.Win32.Zhelatin.KE. This is one network you wouldn't want to join, so make sure to keep your databases updated."

Edited by AplusWebMaster, 18 October 2007 - 06:36 AM.

[AplusWebMaster]

FYI...

- http://www.networkwo...m-security.html
10/24/07 - "...Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days... As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm’s botnet..."

> http://www.theregist..._worm_backlash/

Edited by AplusWebMaster, 25 October 2007 - 12:48 PM.

[AplusWebMaster]

FYI...

- http://www.websense....php?AlertID=814
October 30, 2007 - "Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email:

Example Subject: Nothing is funnier this Halloween

Example Body:
Come watch the little skeleton dance.
http : // <URL Removed> /..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Warezov Domains on All Hallows Eve
- http://www.f-secure....s/00001306.html
October 31, 2007 - "Storm seems to have seized the Warezov gang's mojo. They just don't make as much noise as they once did... Using his "patented" data mining techniques, Toni turned up 2039 domains connected to the Warezov gang as of 12:00 today. Of those, 810 domains resolved as a fast flux*. 1229 do not currently resolve. They're dead. (Or are they undead?) These domains are used for both malware downloads and for pushing spam. The next step is to get them taken down. No small task that.

Download the Lists:
Domains — 2039 ( http://www.f-secure....zov_Domains.txt )
Fast Fluxes — 810 ( http://www.f-secure....ains_Online.txt )
Undead — 1229 ( http://www.f-secure....ins_Offline.txt ) ..."

* http://en.wikipedia.org/wiki/Fast_flux

.