Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Happy New Years .... from the Storm Worm

Published: 2007-12-25
Last Updated: 2007-12-27 13:39:26 UTC
by David Goldsmith (Version: 5)
0 comment(s)

Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information

Shortly before 1600 GMT 25-DEC-2007 we got a report  indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL)   NOTE: Please do not blindly go to this URL -- there is malware behind it.

The message comes in with a number of subjects and body-text.  The one line message bodies are also being used as the subject lines.

Seen So Far:

A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year

Update 1:

Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You

Thanks to David F for the initial report.

We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.

Under The Hood

As with 'merry christmas dude.com',  this domain appears to be registered through nic.ru.  It also appears to be hosted on the same fast-flux network , now with at least 8000 nodes. 

If you go to that web site, currently the malware file is 'happy2008.exe'.  We will add more analysis details throughout the day as we get them.

Update 2:

Russ has posted an update to his blog entry from the other day with information about the newest Storm Worm.  His blog posting is available at http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html
 

Update 3:

Shortly before 1500 GMT 26-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread.  The email messages now refer to the URL http: // happy cards 2008 . com  (spaces added) and the file to be downloaded is 'happy-2008.exe'. 

We recommend applying filters blocks on the domain  for both incoming email and outbound web traffic.

Russ has posted an update to his blog entry from the other day with information about the happy-2008.exe Storm Worm file.  His blog posting is available at  http://holisticinfosec.blogspot.com/2007/12/holiday-storm-part-3.html

Update 4:

First reported to us by Roger, shortly before 0700 GMT 27-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread yet again.  The email messages now refer to the URL http: // new year cards 2008 . com  (spaces added) and the file to be downloaded is 'happynewyear.exe'.

As with the previous URLs and filename, we recommend applying filters blocks on the domain  for both incoming email and outbound web traffic.

 


David Goldsmith (dgoldsmith -at- sans.org)

 

 

Keywords:
0 comment(s)

Digital Hitchhikers

Published: 2007-12-25
Last Updated: 2007-12-25 23:24:44 UTC
by David Goldsmith (Version: 1)
0 comment(s)

We received a report this afternoon from someone who had recently received a digital picture frame.  Unfortunately, it had a extra component with it.  The built-in storage came with what appears to be some malware already loaded on it -- a file called 'cfhskjn.exe' was on it when unpacked.

Some of the behavior seen when the digital picture frame was connected to the computer was:

  • MSCONFIG would not run - it would briefly open and then terminate
  • The system would blue screen when starting in safe mode
  • Going to various anti-virus websites would result in the web browser terminating
  • Various popups for random name.exe "with 'not valid image' messages

This specific product was an "ADS Digital Photo Frame - 8"  (sold by Sam's Club - see http://www.samsclub.com/shopping/navigate.do?dest=5&item=368725) but this type of infection can, and has affected other portable devices with internal storage.

Kaspersky has a blog entry 'Adventures at altitude'  (see http://www.viruslist.com/en/weblog?discuss=208187471&return=1) about one of their employees who bought a Kingston CF memory card that came with a virus on it.

Whether its a picture frame, a digital camera or any USB, CF, SD, etc memory card, the portable nature of these devices dredges up of memories of all the floppy boot viruses we used to have to deal with.  [ What's a 'floppy disk' you ask?  ;-) ]

Care should be taken when attaching storage devices to your computer to ensure you scan them for possible malware and handle them in as secure a fashion as is possible. 


David Goldsmith (dgoldsmith -at- sans.org)

Keywords:
0 comment(s)
Diary Archives