Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Deja Vu: Valentine's Storm

Published: 2008-01-16
Last Updated: 2008-01-16 10:26:18 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

Yesterday we started receiving another wave of Storm e-mails, this time exploiting our love: you got it, Storm started exploiting Valentine’s Day. It looked like they missed the ball for Christmas but now they are certainly back.

The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address (in other words, it should be easy to detect this with anti-spam tools).

Once a user visits the web site he is served with a nice web page (see below) and a link to download an executable – same as with previous versions.

Valentine Storm

So is there anything new about this variant of Storm? Not really. The social engineering attack is the same as before. Actually, there are a lot of similarities with Storm’s Valentine’s attack last year (2007). The subjects are almost the same and the only difference is that last year Storm sent itself as an attachment.

Storm’s packing/obfuscation techniques are still up to the task – when I downloaded the first variant only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works.

Following the pattern we can probably expect Super Bowl being exploited soon as well.



2 comment(s)
Diary Archives