Happy New Years .... from the Storm Worm
Now that Christmas is here, the Storm Worm is moving on to New Years.
Overview and Blocking Information
Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.
The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.
Seen So Far:
A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Update 1:
Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You
Thanks to David F for the initial report.
We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.
Under The Hood
As with 'merry christmas dude.com', this domain appears to be registered through nic.ru. It also appears to be hosted on the same fast-flux network , now with at least 8000 nodes.
If you go to that web site, currently the malware file is 'happy2008.exe'. We will add more analysis details throughout the day as we get them.
Update 2:
Russ has posted an update to his blog entry from the other day with information about the newest Storm Worm. His blog posting is available at http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html
Update 3:
Shortly before 1500 GMT 26-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread. The email messages now refer to the URL http: // happy cards 2008 . com (spaces added) and the file to be downloaded is 'happy-2008.exe'.
We recommend applying filters blocks on the domain for both incoming email and outbound web traffic.
Russ has posted an update to his blog entry from the other day with information about the happy-2008.exe Storm Worm file. His blog posting is available at http://holisticinfosec.blogspot.com/2007/12/holiday-storm-part-3.html
Update 4:
First reported to us by Roger, shortly before 0700 GMT 27-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread yet again. The email messages now refer to the URL http: // new year cards 2008 . com (spaces added) and the file to be downloaded is 'happynewyear.exe'.
As with the previous URLs and filename, we recommend applying filters blocks on the domain for both incoming email and outbound web traffic.
David Goldsmith (dgoldsmith -at- sans.org)
Comments