Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Happy New Years .... from the Storm Worm - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Happy New Years .... from the Storm Worm

Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information

Shortly before 1600 GMT 25-DEC-2007 we got a report  indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL)   NOTE: Please do not blindly go to this URL -- there is malware behind it.

The message comes in with a number of subjects and body-text.  The one line message bodies are also being used as the subject lines.

Seen So Far:

A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year

Thanks to David F for the initial report.

We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.

Under The Hood

As with 'merry christmas dude.com',  this domain appears to be registered through nic.ru.  It also appears to be hosted on the same fast-flux network , now with at least 8000 nodes. 

If you go to that web site, currently the malware file is 'happy2008.exe'.  We will add more analysis details throughout the day as we get them.
 


David Goldsmith (dgoldsmith -at- sans.org)

 

 

David

78 Posts

Sign Up for Free or Log In to start participating in the conversation!