February 10th, 2009 by Steven Adair
Just a quick post on some of the newer Waledac domains. The following were registered on February 4, 2009:
adoresong.com
alldatanow.com
alldataworld.com
bestlovehelp.com
cantlosedata.com
chatloveonline.com
cherishletter.com
cherishpoems.com
freedoconline.com
losenowfast.com
lovecentralonline.com
lovelifeportal.com
mingwater.com
theworldpool.com
wagerpond.com
whocherish.com
worldlovelife.com
worshiplove.com
yourdatabank.com
yourteamdoc.com
These have been updated and added to the list on the Shadowserver site at:
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
Steven
Posted in Waledac, Malware, Storm Worm | No Comments »
January 24th, 2009 by Steven Adair
Got the full list also being updated and posted on the Shadowserver website at the following URL:
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
However, just wanted to reiterate to people that you should block all of these domains:
Registered January 23, 2009:
adorelyric.com
adorepoem.com
adoresongs.com
bestadore.com
bestlovelong.com
funloveonline.com
youradore.com
yourgreatlove.com
Registered January 19, 2009:
bestgoodnews.com
goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com
Registered January 15, 2009:
bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com
Older:
bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com
Waledac Exploit Domain List:
googol-analisys.com
seocom.name
seocom.mobi
seofon.net
—-
Also, if you are interested in all things Waledac (omghi2u!), check our Jeremy’s Waledac tracker here:
http://sudosecure.net/waledac/
Posted in Malware, Waledac, Exploits, Botnets, Spam, Storm Worm | No Comments »
April 10th, 2008 by Steven Adair
It appears that in addition to “supersameas.com”, the Storm Worm is now using and spamming itself out with several new domain names. These domain names are all with Chinese registrars and have been around since at least February but are just now starting to be used. In addition to serving up the executables for download, they are also attempting fire exploits at users that have the Internet Explorer browser. It is highly recommended that you do NOT visit these domains. Here is the list that is currently active:
biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn
They are coming through via e-mail as always and continuing their assault against Blogger (blogspot.com) sites. Searching Google shows the standard “love” related campaign. However, there is at least one result on Google showing politically motivated e-mails that are being sent as well. At least one Spam reported on the Google group “news.admin.net-abuse.sightings” shows an e-mail with the subject “Cowen confirmed as next Irish premier Options” and a body of “Police fire on protesters in Nepal” followed by a link to one of the above domains.
If you visit these sites with IE, you will quickly find yourself being attacked via different ActiveX objects. The first set of exploits will attempt to download “load.exe” to the system. It will then ultimately redirect the visitor to “flow.php” which is full of obfuscated JavaScript. It is recommended that you block the above domain names and do not visit them.
Posted in Malware, Exploits, Spam, Storm Worm | No Comments »
April 8th, 2008 by Steven Adair
There’s a new round of Storm Worm e-mails going around taking advantage of our favorite technique, showing people what looks like a video and telling them they’re missing a codec to view it. Only these guys are using a rather blunt name for the files this time: StormCodec.exe and StormCodec8.exe - Not very subtle for the “Storm” Worm.
Users are lured this time by e-mail that wants them to visit the fast-flux domain “supersameas.com“. You can protect yourself and your organization at this juncture by blocking this domain. Once on the site there is a video looking image in the middle with the following message:
You have no Storm Codec on your PC.
Download it and choose either “Open” or “Run”.
Enjoy your multimedia experience!
The video and download links point to the aforementioned files. Tip: You don’t want Storm Codec on your PC! 
Thanks to Jose from Arbor Networks for pointing out the update to me, otherwise I probably wouldn’t have noticed this until much later.
Posted in Malware, Spam, Storm Worm | 2 Comments »
April 6th, 2008 by Steven Adair
You might have received some e-mails in the last few hours that link to some strange looking blogspot.com pages. A recent example I received a few hours ago pointed me to hxxp://aflmdiovanrd.blogspot.com/. The webpage then wants you to click to download files named “love.exe” or “withlove.exe“, as previously seen with the Valentine’s Day Storm Worm attack.
They are now using a new domain name for their fast-flux network. Each of these URLs presently links to “superdrugtesting.com” followed by the aforementioned binary names. They haven’t used an actual domain name or Google’s Blogger service with these attacks since the Christmas/New Year time frame. Looks like they are back at it again with a new technique.
Here’s a screen shot of what the page looks like:
Be on the look out for these e-mails and consider blocking “superdrugtesting.com” from your networks if possible. Since this domain name is part of a fast-flux network, you must block it by the domain and not IP address as there are thousands of them.
Edit: Let me add that if you were infected with this run of the Storm Worm or the recent Valentine’s Day campaign they did, you would most likely have “aromis.exe” running in your taskbar (not hidden this time) and it will reside in your root WINDOWS folder.
Posted in Malware, Spam, Storm Worm | No Comments »
March 31st, 2008 by Steven Adair
No jokes here - just a quick update on the ever exciting Storm Worm. It seems today it started out on an April Fool’s Day campaign aimed at infecting more systems. It’s still pointing you to infected machines by giving you a URL to an IP address. Right now the file names are “foolsday.exe“, “funny.exe“, and “kickme.exe“.
Click the thumb nail below for a larger view of what the full website looks like:
Nothing too fancy this time around again and it seems they’re a little late in their delivery. Normally they start a little earlier. Anyway, just be on the look out and don’t infect yourself accidentally.
Posted in Spam, Storm Worm | No Comments »
February 12th, 2008 by Steven Adair
It looks like SecureWorks with the assistance of Team Cymru and myNetWatchman have solved some of the mystery surrounding this trojan that suddenly found itself in the press. It’s apparently in some ways related to what some AV vendors have previously referred to as “Ozdok”. Interesting name at least. You can read more about this [solved] mystery at http://www.secureworks.com/research/threats/ozdok/?threat=ozdok. I am sure you all have been on the edge of your computer chairs just dying to find out more. Now you can fall off with joy!
Now for the next update you’ve been waiting for: Storm Worm! It’s got a new executable called valentine.exe. Really is that all? Oh man - the excitement does not end there folks. If you are lured onto the website you may be presented with any one of eight different Valentine’s Day themed pictures. The most interesting is one with Pooh Bear and Piglet. Not sure if they’re looking at each other as being each other’s valentine or not though. Anyway, we posted up some information on it Sunday at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080210.
Have a Happy Valentine’s Day! <3
Posted in Malware, Botnets, Spam, Storm Worm | No Comments »
January 29th, 2008 by Steven Adair
I’m not going to cover everything in this post, but rather just point to the one over at the Shadowserver site. It seems that we’ve caught Storm Worm doing some trickery in its rotation of image files it uses for pump and dump stock spams. This time it was targeting the OTC stock CHYA. In a similar nature to how it continually makes changes to the binaries, the network also frequently changes the stock spam images.
You can read more about this by visiting http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080128
Posted in Spam, Storm Worm | No Comments »
January 27th, 2008 by Steven Adair
Shaun from honeynet.org.au (and Shadowserver) recently released Version 1.0 of his Tracker Tool that is designed to determine if certain domains are in fact Fast Flux domains and track their unique IPs on top of that. This first version has a few kinks to be worked out and might not have the clearest README in the world at the moment, but it does work pretty well. There will most likely be another release in the near feature that eliminates a few of the kinks, has new features, and will be crystal clear on how exactly to use and setup everything. Just shoot Shaun an e-mail if you end up grabbing it and have any trouble.
You can find the latest version of the Tracker Tool at http://honeynet.org.au/?q=node/10
Right now it’s helped discover over 40,000 unique IPs associated with the current fast flux Storm Worm domain ibank-halifax.com in the last few weeks. This is definitely down from the approximate 100,000,000,000,000 (Note: number exaggerated) IPs that were seen with the Storm Worm fast flux domains back in September-August of last year.
Posted in Storm Worm, Random | No Comments »
January 8th, 2008 by Steven Adair
We have noticed some interesting activity by the Storm Worm crew lately. It seems they have continued to move their criminal empire into targeting banking information. This time there are two new domains:
i-barclays.com
i-halifax.com
These domains are on the fast flux network and hosting phishing scams looking to rip you off. There’s a good brief posting about here from us at Shadowserver:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080108
It seems Fortinet had initially picked it up and SC Magazine has run a pretty good article with them that can be found in the above URL. Be on the look out for these and others that follow.
Posted in Phishing, Botnets, Spam, Storm Worm | No Comments »
