76 replies to this topic

[AplusWebMaster]

FYI...

Malicious Code: New Storm Tactic: Valentine's Day
- http://www.websense....php?AlertID=838
January 15, 2008 - "Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code... As with previous Storm emails, various subjects and bodies will be used... 3 different email lures containing 3 different subject lines and message..."

- http://www.f-secure....s/00001363.html
January 15, 2008 - "Yet another wave of the Storm worm are now being spammed widely and this time it's all about love. They were late for Christmas, just in time for new year and really early for Valentine. The filename being downloaded now is withlove.exe..."

- http://asert.arborne...ines-day-theme/
January 15th, 2008 - "...inspection reveals it’s a pointer to a storm node...
Subject lines seen so far:
* A Toast My Love
* Your Love Has Opened
* Sending You My Love ..."

(Screenshots available at all URLs above.)

Edited by AplusWebMaster, 15 January 2008 - 11:43 PM.

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=3855
Last Updated: 2008-01-16 10:26:18 UTC - "...The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address... only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works..."

[AplusWebMaster]

FYI... (current "Subject" and attachment list - Storm e-mail SPAM list)

- http://preview.tinyurl.com/2r6gma
January 16, 2008 (Symantec Security Response Weblog) - "...The subjects and bodies we have seen so far include the following (many are recycled from the Storm worm's 2007 Valentine's Day campaign):

• A Dream is a Wish • A Is For Attitude • A Kiss So Gentle • A Rose
• A Rose for My Love • A Toast My Love • Come Dance with Me
• Come Relax with Me • Dream of You • Eternal Love
• Eternity of Your Love • Falling In Love with You • For You....My Love
• Heavenly Love • Hugging My Pillow • I Love You Because
• I Love You Soo Much • I Love You with All I Am • I Would Dream
• If Loving You • In Your Arms • Inside My Heart • Love Remains
• Memories of You|A Token of My Love • Miracle of Love
• Our Love is Free • Our Love Nest • Our Love Will Last
• Pages from My Heart • Path We Share • Sending You All My Love
• Sending You My Love • Sent with Love • Special Romance
• Surrounded by Love • The Dance of Love • The Mood for Love
• The Time for Love • When Love Comes Knocking • When You Fall in Love
• Why I Love You • Words in my Heart • Wrapped in Your Arms
• You... In My Dreams • Your Friend and Lover • Your Love Has Opened
• You're my Dream

Attachment Name:
• withlove.exe
• with_love.exe ..."

[AplusWebMaster]

Interesting site - "Storm Tracker":

> http://www.trustedso...o=storm_tracker
Daily New Web Proxy IPs
Most Active Storm Web Proxy IPs
Top Storm Domains
Newly Activated Storm Web Proxy IPs
Recently Seen Storm Web Proxy IPs
Geolocation of Storm Web Proxy IPs

.

[AplusWebMaster]

FYI...

New Storm tactic: Medical spam sites
- http://www.websense.....php?BlogID=170
Jan 29 2008 - "... the Storm worm has changed spamming tactics. Spam sent by infected hosts contain links of the format:
http ://(IP address)/(short random directory name)
These links redirect users to medical spam sites, but the links are still infected at the root level (e.g. http ://IP address/). The redirects help these medical spam sites attempt to evade spam filters..."

- http://blog.trendmic...g-bad-medicine/
January 31, 2008

(Screenshot available at both URLs above.)

Edited by AplusWebMaster, 01 February 2008 - 05:50 AM.

[AplusWebMaster]

FYI...

- http://www.marshal.c...thesection=news
31 January 2008 – "...Storm is one of five botnets that we have been monitoring that we believe are responsible for approximately 75 per cent of all spam in circulation. One particular botnet which heavily promotes a certain brand of male enhancement pills accounts for nearly 30 per cent. This one bot has already exceeded Storm’s records and it has done it quietly without attracting too much attention. This might signal a new strategy by some of the spam crews to try and draw less attention to themselves through high profile email campaigns... It is also possible that the individuals behind the Storm botnet are responsible for one or more of these new botnets. These people are smart and one lesson they may have learned from Storm is to stay under the radar if they want to remain successful. There is a lot of crossover with the products being promoted by all five of these botnets. This could indicate some sort of connection between them...”

- http://preview.tinyurl.com/2zlwao
February 4, 2008 (Computerworld) - "...Mega-D has borrowed a few tricks from Storm, such as operating in Asian countries typified by high broadband penetration and poor use of anti-virus, using Trojans to dodge signature-based removal techniques and proliferating over peer-to-peer networks... Mega-D has targeted Facebook users with a fake invites that downloads the Trojan using a phony Flash Player update. More than 70 percent of global spam is sent from botnets Mega-D, Pushdo, HTML, One Word Sub and Storm..."

- http://www.marshal.c...asp?article=510
February 4, 2008

- http://asert.arborne...rojan-analysis/
February 11, 2008 - "Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D. It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here*, as well as some detailed bits on behaviors of the Trojan itself..."
* http://www.securewor...k/?threat=ozdok
February 11, 2008

Edited by AplusWebMaster, 13 February 2008 - 09:23 PM.

[AplusWebMaster]

Eye on the botnets...

- http://www.darkreadi...o...&print=true
FEBRUARY 4, 2008 - "A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs. The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year... The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP)... Damballa is not sure why AV engines aren't detecting MayDay's malware... The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware...
As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal...
So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike. Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says."

Also see:
- http://asert.arborne...mbot-follow-up/
February 5, 2008 - Mega-D Spambot Follow-up

Edited by AplusWebMaster, 05 February 2008 - 10:17 AM.

[AplusWebMaster]

FYI...

Storm Worm's Family Tree
- http://blog.washingt...ily_tree_1.html
February 7, 2008
(Detailed study on the history of "Storm", 'way too many links to post here. Good job Brian!)

[AplusWebMaster]

FYI...

Storm Worm Valentine's Day Update
- http://www.shadowser...lendar.20080210
February 10, 2008 - "...Storm Worm has once again undergone another change as Valentine's Day is approaching. Fresh with 8 different rotating Valentine's Day images and a new executable named valentine.exe (may sound familiar), the Storm Worm may be gearing up for a new round of assaults on inboxes. It would appear that the domains are no longer serving up wildcard .gif files related to their stock spams. Instead we have eight .gif images ranging from 1.gif on up to 8.gif. After a few moments you'll be prompted to download the binary... a peak at the 8 images..."

- http://blog.trendmic...oves-everybody/
February 11, 2008 - "...The spammed email messages are just plain text, but these contain links that lead to malicious Web sites displaying one of eight cute Valentine images..."

(Screenshots available at the URL's above.)

> http://www.fbi.gov/p...mworm021208.htm
February 12, 2008

Edited by AplusWebMaster, 12 February 2008 - 04:01 PM.

[AplusWebMaster]

FYI...

Stormworms spammy love notes
- http://isc.sans.org/...ml?storyid=3979
Last Updated: 2008-02-12 22:42:30 UTC - "We received several reports of spam containing Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is changing rapidly so AV detection based on MD5 or other hash values is not reliable. We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm... Jose Nazario of Arbornetworks has some additional about this at:
http://asert.arborne...s-day-campaign/ ..."
"...Poor AV detection (via VirusTotal), but humans can spot this a mile away."

Edited by AplusWebMaster, 12 February 2008 - 05:12 PM.

[AplusWebMaster]

FYI...

Botnet wars?
- http://blog.trendmic...ootkit-remover/
February 27, 2008 - "A malware removes rootkits? There has to be a catch here. Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components..."

[AplusWebMaster]

FYI...

Storm Reactivating
- http://www.f-secure....s/00001392.html
March 3, 2008 - " We haven't seen new Storm sites since the spam run they did over Valentine's Day… until early this morning. Right now they are sending a wide variety of mails regarding ecards... Depending on what you do, you end up with either e-card.exe (clicking the picture), e-card.exe (clicking the link) or postcard.exe (waiting for a few seconds). The files are variable but they always do the same thing: infect your system with the latest Storm/Zhelatin variant..."
(Screenshots available at the F-secure URL above.)

- http://isc.sans.org/...ml?storyid=4054
Last Updated: 2008-03-03 08:18:58 UTC - "...Well, Storm is back, and back to generic e-Card spam... some Subjects and Contents to watch for:

Subject:
Your ecard joke is waiting
You have an ecard
We have a ecard surprise
Someone Just sent you an ecard
Did you open your ecard yet
ecard waiting for you
Open your ecard
new ecard waiting
Now this is funny
online greeting waiting
sent you an ecard

Body:
laughing Funny Card
You have been sent a Funny Postcard
You have been sent the Funny Ecard
original Funny Card
Someone Sent you this Funny Ecard
your funny postcard
original Funny Postcard
sent a Funny Postcard
personal funny postcard
FunnyPostcard
laughing funny postcard

Watch your inbox, and lets hope the AV vendors jump on this quickly."

Edited by AplusWebMaster, 03 March 2008 - 07:35 AM.

[AplusWebMaster]

FYI...

- http://www.f-secure....s/00001410.html
March 31, 2008 19:45 GMT - " A wave of April Fool's Day related Storm (e)mails have just been sent out. Similar as the other times with a link that points to an IP address... if you receive one of these emails, don't click on the link."
(Screenshots available at the URL above.)

- http://isc.sans.org/...ml?storyid=4222
Last Updated: 2008-03-31 21:00:07 UTC - "...Again a various list of subjects come with this release:
All Fools' Day
Doh! All's Fool.
Doh! April's Fool.
Gotcha!
Gotcha! All Fool!
Gotcha! April Fool!
Happy All Fool's Day.
Happy All Fools Day!
Happy All Fools!
Happy April Fool's Day.
Happy April Fools Day!
Happy Fools Day!
I am a Fool for your Love
Join the Laugh-A-Lot!
Just You
One who is sportively imposed upon by others on the first day of April
Surprise!
Surprise! The joke's on you.
Today You Can Officially Act Foolish
Today's Joke!
...The download is a binary, also with varying names:
foolsday.exe *
funny.exe
kickme.exe
...Virus coverage is poor* with the samples we've captured, but we're working with the AV vendors to improve that..."

* i.e.: http://www.virustota...95081c150afb4cd
File foolsday.exe received on 03.31.2008 21:16:16 (CET)
Current status: finished
Result: 6/32 (18.75%)

Edited by AplusWebMaster, 01 April 2008 - 12:08 PM.

[AplusWebMaster]

More...

April Storm’s Day Campaign
- http://asert.arborne...ms-day-campaign
March 31, 2008 - "...here are the specifics for this variant:
* Peerlist: C:\WINDOWS\aromis.config
* Installs as: C:\WINDOWS\aromis.exe
* As always, listens on a random UDP port, makes a lot of outbound connections, allows itself to the firewall via “netsh firewall set” and via the registry, uses w32tm to update its clock, and so on."

[AplusWebMaster]

FYI...

- http://forums.whatth...=...st&p=452370

- http://www.avertlabs...-loves-you-not/
April 7, 2008

Edited by AplusWebMaster, 08 April 2008 - 07:17 AM.