Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Anticipated Storm-Bot Attack Begins - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Anticipated Storm-Bot Attack Begins

Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.

The message comes in with a number of subjects:

 

Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

The body is something similar to:

 

do you have a min?



This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-)

http://merry christmasdude.com/

 

[the domain was interrupted for your protection]

Thanks Kevin for the initial report.

I recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.


Kevin Liston (kliston -at- isc.sans.org)

Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!