SecurityZone.org - Information Security Blog

Well, I am not really trying to turn my website into a Storm Worm blog, but I keep seeing more and more about it and it keeps finding its way into my SPAM folders and into my inbox. Late Monday it looks like some of the tactics of the Storm Worm (Peacomm) started to change. They are starting to look similar to how some of the fake e-mails that were part of eBay/Paypal phishing scams are setup. The e-mails indicate that you have signed/registered for some sort of account, which of course you did not. They point you to this numeric URL to login with the credentials they just sent you. Of course clicking this site will do two things: 1) attempt to exploit your browser or some software that can be launched through it and 2) still give you a link and try to get you to download some file — in this case “applet.exe”.

The e-mails have subjects like: “New User Confirmation”, “Secure Registration”, “Registration Details”

The e-mail bodies tend to look like this:

New Member,

Here is your membership info for Ringtone Heaven.

Member Number: 86753587
Your Temp. Login ID: user7510
Your Temp. Password ID: si806

Please Change your login and change your Login Information.

This link will allow you to securely change your login info: http://#.#.#.#/

Thank You,
Internet Support
Ringtone Heaven

—————-

Now the membership/registration place tends to change along with the subject line. The other fake credentials also tend to vary as well. Hopefully you won’t be fooled.

If you are someone that pays close attention to the subject lines and even the URLs that come across on these Storm Worm (also popularly known as Peacomm) e-mails, you might have noticed something different in the last week. The first change is in the subject line. It appears that some of them have been coming across without a subject line “(no subject)”, which is definitely something a little different. The next big change has to do with the URLs. Before they were http:// + IP address + /? + followed by 15 characters 0-9a-e (some similar ones may have been seen with 32+ characters and will include a-f as well). In addition to some of the changes in the subject, we also seem to have lost the aforementioned question mark and following characters. It’s all just located right at the numeric website now (http://ipaddress/).

I seem to be getting my Storm Worm e-mails split down the middle with half of them coming in as greeting cards and the other half being URLs for a website that I should check out for some reason. The greeting card websites generally almost always try and get me to download “ecard.exe”. Where as the others tend to have IE exploit code in them and want me to download “msdataaccess.exe” or something similar. In either case you machine will almost certainly become part of a botnet of one form or another, whether it be one on IRC or one on a peer-to-peer (P2P) network.

The most rcent subjects I have been seeing in a few of these e-mails with the new format are:

> “Musical e-card”
> “Musical postcard”
> “Greeting postcard”
> (no subject)