Last Updated: 2007-12-24 19:37:24 UTC
by Kevin Liston (Version: 4)
Overview and Blocking Information
Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.
The message comes in with a number of subjects:
Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer
“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”
The body is something similar to:
do you have a min?
This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-)
[the domain was interrupted for your protection]
Thanks Kevin for the initial report.
I recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.
Under The Hood
The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes. Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control.
Russ has a nice and tidy analysis available at: http://holisticinfosec.blogspot.com/2007/12/storm-bot-stripshow-analysis.html
and Jose Nazario has a nice one at http://asert.arbornetworks.com/2007/12/storm-is-back-dude/
Speaking of Blogspot
If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)
Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.
Kevin Liston (kliston -at- isc.sans.org)
Last Updated: 2007-12-24 18:15:05 UTC
by Lorna Hutcheson (Version: 1)
There is no better Christmas gift, that I can think of to give, than one that involved packets. Its been awhile since I posted a packet challenge, but I couldn't let Christmas go by without posting one. So for all you fellow packet heads out there, here is one for you to spend your holidays pondering. This challenge is different from last year, so let me tell you the rules for solving this one. I will give you your first clue to start you off, but you can choose the approach you take:
Approach #1: Download the file called xmas_Starter.pcap which contains the single starter packet and look at it in your favorite sniffer to extract the payload to decode.
Approach #2: For all you die hard hex geeks, I've dumped the packet in hex into a text file called starter_challenge.txt for your viewing pleasure. Find your payload in the hex dump and decode it.
In the payload, you will find a Christmas question that has a numeric answer. The correct answer will be the exact packet in the xmas_challenge_2007.pcap file where you will find your next Christmas question. So for example, if the answer is 30, then packet number 30 will be the packet you are looking for in xmas_challenge_2007.pcap. Do NOT start counting at the packet for which you just answered a question, you will be wrong. Each question is in the payload and must be deciphered. There are misleading packets in this challenge, make sure you know your Christmas trivia or you could end up on the wrong packet! How will you will know when you are at the end of the challenge? The last packet you are directed to, will not have a question, but will have a message from the handlers to all our readers. It also may or may not contain the message in one single packet:>)
For those who accept the challenge, send in an email listing each question you found and what the message is from the ISC handlers to everyone. If you get stuck, send in an email too and we'll get you back on track! I'll post the results in a week or so to give folks time to play. Good luck to everyone and let the games begin!!!