Last Updated: 2008-07-04 15:01:30 UTC
by Kevin Liston (Version: 2)
I read about MX Logic's prediction this morning (www.computerworld.com/action/article.do) that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure. This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started.
There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe.
Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here: garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html I'm sure that the list will continue to grow. I'd recommend that you play it safe by blocking all attemtps to download fireworks.exe at your perimeter (your environment may vary, but I can't see any business justification for any executables named fireworks to be downloaded by my users-- I know "Kevin is no fun.")
Fireworks of Fireworks.exe
Russ McRee did a nice little write-up and visualization of the bots traffic. I think it's prettier than what the lure-video promised. It's available here: holisticinfosec.blogspot.com/2008/07/visualized-storm-fireworks-for-your-4th.html
A reader wrote in asking: "I am interested to know, how it is possible, that the storm worm is still able to be such a threat, that ISC needs to report about it?"
My morning pre-caffein answer:
I don't consider these Storm Bot-net waves to be so much of a threat-- I consider them like an EICAR for an organization's incident response process. If your security policies and incident response procedures are having difficulty with this kind of event, they both need some assistance and re-tooling.