76 replies to this topic

[AplusWebMaster]

FYI...

Storm Worm Changes Course
- http://preview.tinyurl.com/2mvsqs
November 1, 2007 - (Symantec Security Response Weblog) - "The authors of the Storm worm (also know as Trojan.Peacomm) have shown an uncanny knack of changing or shedding key components of the threat in order to enhance its persistence and spread. This week saw the latest incarnation of the threat, Trojan.Peacomm.D, reveal itself as halloween.exe or sony.exe. What is most interesting about this latest variant of the Storm worm is that its authors have removed some key functionality that was present in the previous variant, Trojan.Peacomm.C. Specifically, the threat no longer;
1. infects other legitimate drivers on the system. Previous variants infected drivers such as Tcpip.sys and Kbdclass.sys. This was a stealth-like feature used by the threat to start early with the operating system and without loading points in the Windows Registry.
2. injects itself into legitimate processes like Explorer.exe and Services.exe.
Instead the threat now relies less on legitimate components on the operating system and has new proprietary components to do its dirty work. The driver associated with the latest variant, noskrnl.sys, works hand in hand with the user mode noskrnl.exe to provide the same stealth-like capabilities that involved more components, both illegitimate and legitimate, in the past... In terms of the latest variant, both holloween.exe and sony.exe are detected as Trojan.Packed.13 and the low level driver component, noskrnl.sys, is detected as Trojan.Peacomm.D*..."

* http://www.symantec....-041222-3056-99

.

[AplusWebMaster]

FYI...

Storm Worm Victims Get Stock Spam Pop-Up
- http://preview.tinyurl.com/3dlq5l
November 13, 2007 - Brian Krebs - "If you're a Windows users and today received a surprise pop-up advertisement urging you to invest in an obscure penny stock, it is highly likely that your computer is infected with the virulent Storm worm, a nasty intruder that currently resides on an estimated 200,000 PCs worldwide. Criminal groups that control the pool of Storm-infected computers have traditionally used those systems to pump out junk e-mail ads touting thinly traded penny stocks as part of an elaborate and ongoing series of "pump-and-dump" schemes. But today, according to security researchers, the Storm worm authors went a step further by causing a pop-up ad for a particular penny stock to be shown on all infected machines. Atlanta-based SecureWorks* tracked the latest Storm activity, which began earlier this morning..."

Are You Infected With Storm?
* http://preview.tinyurl.com/2jqgn3
November 13, 2007 by Joe Stewart - (Secureworks) - "If you saw the following browser window pop up on your desktop today for no apparent reason, you are..."
(Screenshot available at the SecureWorks URL above.)

.

[AplusWebMaster]

FYI...

Storm Brews Over Geocities
- http://blog.trendmic...over-geocities/
November 15th, 2007 - "...There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets... The links contained within the said messages point to various accounts created under the popular Yahoo!-managed Geocities site. However, what appears to be links to personal Web sites hosted on Geocities are actually URLs that redirect... user is coaxed into downloading an “iPix plug-in” (from http: // {BLOCKED}.{BLOCKED}.238.36/ iPIX-install.exe). Unfortunately, the iPix plug-in, which Trend Micro detects as TROJ_ZBOT.BJ, downloads more malicious files..."

[AplusWebMaster]

FYI...

- http://www.securityp...mp;Categoryid=1
29/11/2007 - "A copycat spam gang has developed a botnet that is currently responsible for more than 20 per cent of all spam in circulation, according to Marshal’s threat research TRACE Team. The botnet now has the ability to distribute similar amounts of spam as the notorious Storm botnet. Marshal has touted the spammers responsible for this botnet the “Celebrity Spam Gang”, owing to their fondness for using celebrity names in their spam. The Celebrity Gang has been building up their botnet since August 2006. They have managed this by spamming out messages with malware attachments that commonly feature subject lines about nude celebrities like Angelina Jolie and Britney Spears but have also promised free games and Windows Security Updates..."
- http://www.marshal.c...asp?article=421

[AplusWebMaster]

FYI...

Anticipated Storm-Bot Attack Begins
- http://isc.sans.org/...ml?storyid=3778
Last Updated: 2007-12-24 03:41:39 UTC
"Overview and Blocking Information
Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a Christmas-themed stripshow directing victims to merrychristmasdude .com.

The message comes in with a number of subjects:
Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

The body is something similar to:

do you have a min?
This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these...

hxxp: // merry christmasdude .com / ...
Recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.

Under The Hood
The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes. Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control."

More info here: http://forums.whatth...ude_t86641.html

Edited by AplusWebMaster, 24 December 2007 - 04:55 AM.

[AplusWebMaster]

Updated:

- http://isc.sans.org/...ml?storyid=3778
Last Updated: 2007-12-24 13:11:38 UTC ...(Version: 3)
"...nice and tidy analysis available at: http://holisticinfos...w-analysis.html
...There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes. User awareness, as always, is your strongest defense. Cheers and happy holidays, except for you RBN a$$h0735."

- http://www.f-secure....s/00001349.html
December 24, 2007 - "...The IP address of the site changes every second. We also already detect it earlier as Email-Worm.Win32.Zhelatin.pd ... Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!"
(Screenshot available at the F-secure URL above.)

.

Edited by AplusWebMaster, 24 December 2007 - 01:16 PM.

[AplusWebMaster]

FYI...

Happy New Years .... from the Storm Worm
- http://isc.sans.org/...ml?storyid=3784
Last Updated: 2007-12-25 19:36:34 UTC ...(Version: 3) - "Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information
Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card... The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.

Seen So Far:
A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Update 1:
Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You...

>>> We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.
Under The Hood
As with 'merry christmas dude.com', this domain appears to be registered through nic.ru. It also appears to be hosted on the same fast-flux network, now with at least 8000 nodes.
If you go to that web site, currently the malware file is 'happy2008.exe'. We will add more analysis details throughout the day as we get them.
Update... blog entry from the other day with information about the newest Storm Worm. His blog posting is available at http://holisticinfos...rm-deja-vu.html ..."

- http://www.f-secure....s/00001350.html
"Updated to add: On (Dec)26th we started seeing a new domain: happycards2008.com. The filename has morphed as well, to happy-2008.exe..."

Edited by AplusWebMaster, 26 December 2007 - 04:28 PM.

[AplusWebMaster]

FYI...

- http://asert.arborne...8-new-campaign/
December 27, 2007 - "...The filenames were “happy2008.exe”, “happy-2008.exe”, and now “happynewyear.exe”... Again, fast flux DNS (TTLs set to 0 seconds, lots of IPs being cycled in there, nameservers also fast fluxing in the network), open resolver, etc... Be wary of random e-cards from people you’ve never heard of, stay updated with AV, don’t run as administrator, etc..."

- http://isc.sans.org/...ml?storyid=3784
Last Updated: 2007-12-27 13:39:26 UTC ...(Version: 5)
"Update: ...shortly before 0700 GMT 27-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread yet again. The email messages now refer to the URL http: // new year cards 2008 . com (spaces added) and the file to be downloaded is 'happynewyear.exe'. As with the previous URLs and filename, we recommend applying filters blocks on the domain for both incoming email and outbound web traffic."

[AplusWebMaster]

More...

Storm switches tactics third time, adds rootkit
- http://preview.tinyurl.com/yqt7q4
December 27, 2007 (Computerworld) - "...The file being shilled today is tagged to "happynewyear.exe." More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx and an independent security researcher named Russ McRee have posted analyses of Storm's cloaking attempt. [Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?)," said McRee on his HolisticInfoSec Web site*. "No more hanging out in the open, easily seen"..."
* http://holisticinfos...orm-part-3.html

[AplusWebMaster]

Add another domain:
- http://blogs.pcmag.c...my_new_year.php
December 28, 2007 - "...Consider the following unsolicited e-mail:
From: ccs@gotapco.com
Sent: Friday, December 28, 2007
To: Larry Seltzer
Subject: Happy 2008!
Wishes for the New 2008 Year
hxxp: // newyearwithlove .com
DON'T GO TO THAT DOMAIN! If you do, or to one of several others with similar names, you'll be redirected to an HTTP request for an EXE file pushing a trojan horse program. The domains are all registered with an unresponsive Russian registrar. Thirteen different name servers on different networks are listed as authoritative in order to make it harder to bring the domain down. Even more may be added, if necessary, to keep the domain up..."
-------------------

- http://preview.tinyurl.com/yud8re
December 27, 2007 (Computerworld) - "...According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domain is a "Bill Gudzon" of Los Angeles, Calif., but the contact phone number gave only a constant busy signal. Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said Giuliani*, has already detected more than 400 variants of the version now in circulation."
* http://www.prevx.com...hird-round.html

Edited by AplusWebMaster, 28 December 2007 - 04:38 PM.

[AplusWebMaster]

FYI...

Is a New Year's Storm a’brewin?
- http://preview.tinyurl.com/3apa67
December 31, 2007 10:40 AM (Symantec Security Response Weblog) - "...The Peacomm gang doesn’t seem content with their recent spam run and have launched a new one. Symantec is currently observing a spam run to celebrate New Years, 2008... Contained in the email is a URL to one of several possible Web sites. What is interesting is the number of recently registered domains involved in this spam run. It looks like another Clause family member- “Larry Clause”- has been very busy over the past few days, registering a number of domains with NIC.RU to aid the spam run. So far we have observed the following sites all involved in the spam run with most being registered to a Larry Clause:
• familypostcards2008.com
• freshcards2008.com
• happy2008toyou.com
• happycards2008.com
• happysantacards.com
• hellosanta2008.com
• hohoho2008.com
• newyearcards2008.com
• newyearwithlove.com
• parentscards.com
• postcards-2008.com
• Santapcards.com
• Santawishes2008.com
If clicked on the user is presented with a plain page with the following text:
'Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!'

Their use of fast flux hosting on botnets makes it very difficult to stop the hosting of this risk... be very cautious of opening greeting cards, especially from people you do not know. Always keep your antivirus software up-to-date and follow safe computing practices..."

[AplusWebMaster]

Updates...

Active Storm Worm Domains - Christmas, New Year’s Campaign
- http://preview.tinyurl.com/2ueud4
January 2, 2008 (Arbornetworks) - "Based on a bunch of sources:
familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
merrychristmasdude.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
santapcards.com
santawishes2008.com
uhavepostcard.com

All of these are worth blocking by DNS methods (become the local SOA, NXDOMAIN them) and looking for in your emails (look for a simple URL with those domain names near the end of a very short email)...
UPDATE: Added parentscards.com, which is now in use."

.

[AplusWebMaster]

FYI...

Storm Social-Engineering Manages a >200% Increase in Size
- http://preview.tinyurl.com/3cj8m3
January 3, 2008 (TrendMicro blog) - "...The good folks over at the German HoneyNet Project* have some interesting statistics which indicate that, due to renewed efforts over the course of the Christmas and New Year’s holiday, the puppet masters controlling the Storm Botnet managed to increase the Storm Botnet size by more than 200%... given that the newest iterations of Storm includes (and revolves around) a new promulgation of a rootkit component**, it can be somewhat difficult to ascertain specific detection numbers... Social engineering continues to be a major, major threat vector..."

* http://honeyblog.org...Storm-Worm.html

** http://blog.trendmic...-for-christmas/

[AplusWebMaster]

FYI...

Phishing from the Storm Botnet
- http://www.f-secure....s/00001359.html
January 9, 2008 - "Last night there was a phishing run using the domain i-halifax.com. The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet. Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar: Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm. So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before. But we've been expecting something along these lines. From our end-of-year Data Security Wrap-up:
'October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet.'
This may be what's happening now."
(Screenshots available at the URL above.)

- http://www.fortiguar...GA-2008-02.html
2008.January.07 - "...As of writing, the phishing run is targeting Barclays customers. All of the emails have a similar body..., and display a typical social engineering speech directed towards users who have a moderate level of awareness. These users are ones who may have heard online banking is subject to some fraudulent computer attacks, but cannot identify one. Phishers often use this social engineering approach for 3 reasons:
1. A security check is a good pretext to ask people to log in to their account
2. The "fear factor" carried by a a security check is a strong incentive for people to actually carry forward
3. Users may feel that since it is a security check, it cannot be an attack the email is referring to ..."
UPDATES: As of 16:00 January 7, 2008 the notified registrar appears to have taken action as the fraudulent Barclays domain in question (linked to by the phishing emails) no longer responds to queries. As of January 8, 2008 new emails emanating from the Storm botnet have been observed by the Fortinet Global Security Research Team which use the same social and domain engineering, however target a different bank: Halifax. This is a precursor that other banks may be targeted as well..."
(Screenshots available at the Fortinet URL above.)

- http://blog.trendmic...twist-phishing/
January 8, 2008 - "...several domains which where only registered yesterday “popped up” on our internal early warning systems overnight, and surprisingly enough, we started seeing these hosts serving up phishing pages (partial screenshot of Royal Bank of Scotland phish above) today. Another interesting aspect of this turn of events is that these hosts are part of the Storm fast-flux botnet, and we detected them while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities. We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers..."

Edited by AplusWebMaster, 10 January 2008 - 05:08 AM.

[AplusWebMaster]

Hmmm...

Stormy Skies - Clearing?
- http://asert.arborne...skies-clearing/
January 9th, 2008 - "Seems like NIC.RU has been cleaning house a bit. The recent Storm worm domains appear to have all been cleared up. This domain appears to be dead in both the whois records - it says the domain is locked - and DNS databases.

UPDATED: a short while after it was originally posted to note that -all- domains are dead, not just one or two."

?