SecurityZone.org - Information Security Blog

It appears that we now have several different Storm Worm domains being spread today, only it seems a few of them are off the mark..well being that Christmas was six days ago and all. The following three domains are now being spammed out across the Internet:

happy2008toyou.com
happysantacards.com
hellosanta2008.com
hohoho2008.com

I would think that using anything with Santa in it would be a little dated but who knows really. I wonder if we’ll see and end to this domain and Spam blitz as 2008 rolls in. Also, the file name has finally changed, we’re looking at “happy_2008.exe” now. All three domains are once again still have the same familiar contact information:

Registrant ID: X05O1TC-RU
Registrant Name: Larry Claus
Registrant Organization: Larry Claus
Registrant Street1: 1874 str., office 923
Registrant City: Los-Angeles
Registrant State: CA
Registrant Postal Code: 320784
Registrant Country: US

Apparently numerous people have been attempting to contact nic.ru to no avail regarding these domains. It appears they may be on vacation for a few more days. Not sure they would necessarily be able to fully stop this anyway, but it could definitely help to some degree if they were in the office.

Happy New Year & Happy Safe Internet Browsing!

A few hours ago the new Storm Worm domain has changed to “familypostcards2008.com” - don’t visit it of course. The file name still has not changed. Not too much new on that front, but there is good news from Google.

We previously reported on how Blogspot web log pages were being used to spread Storm Worm as well, as they would continuously be updated with the latest Storm Worm domain in blog postings. It appears that a number of these compromised/abused Blogspot pages have been taken down by Google. A lot of these weblog postings now either show “Not Found” messages or have been taken down by Google and display:

“This blog is in violation of Blogger’s Terms of Service and is open to authors only”

Good work guys.

Update 12-30-2007

Our wonderful domain name has changed again to “freshcards2008.com“, and is still using “happynewyear2008.exe” as the filename. Like some of the previous domain names, almost fitting the season the name the domains is “Larry Claus“.

The other day while searching some of the Storm Worm domains, I found myself clicking onto a link to the website http://bsn.borderware.com. As it turns out, it’s a pretty interesting little site. Their website displays snapshots and statistics in a number of different categories. A quick summary right from their website say that “The BorderWare Security Network (BSN) is a real-time reputation service that monitors and identifies threats across multiple Internet communication protocols.” On the website you can get a top 10 for Zero Hour Threats, Recent Offenders, Most Wanted, Top Phishers, Top Spammers, and Virus Senders. You can also look up IP addresses and domains to check their reputation as the BSN has it.

The most interesting of the Top 10 lists it has is the “Top Phishers” list. The name itself is a bit of a misnomer. The list that appears under this list is actually the most frequent domain names in phishing and spam e-mails that they have seen. It should be no surprise that the last few Storm Worm domains have appeared as #1 or #2 every time I check their website. Other similar services are the Internet Storm Center’s Top 10 and ATLAS from Arbor Networks. However, neither of these will give you a list of some of the most frequently seen mass e-mailed domain names, which is an interesting statistic to see.

If you know of any other similar services that you use or provide, please feel free to share them via comments or by e-mailing me [steven[AT]securityzone.org].

In an effort to defeat the effectiveness of Anti-virus, Spam Filters, and intrusion detection systems, everything about the Storm Worm keeps changing. The binary itself changes approximately every 15 minutes. The domain names, e-mail subjects, and e-mail bodies keep changing daily (as do the Blogspot entries) and even the filename itself keeps changing. On top of all of that, of course the domains themselves are involved with fast flux DNS, so there’s thousands of different IP addresses behind it — not exactly something you can block on. With that being said, all you can do is be vigilante and smart.

Today’s new domain name: newyearwithlove.com - The filename is currently still at happynewyear2008.exe

The Storm Worm has morphed itself a little bit again. The domains uhavepostcard.com and now happycards2008.com are both being used with the same message previously mentioned. Although, we now have the filename happy-2008.exe. It looks like they added a hyphen to switch it up. They may have also gone to random .exe and .config files to be dropped on the system. However, just about everything else is still the same.

Update (12-27): It seems that the domain newyearcards2008.com is also now being spammed out now with the file name happynewyear.exe.

It looks like just with merrychristmasdude.com, there are tons of blogspot weblogs that have postings that just say something like this:

New Year wishes for you
http://uhavepostcard.com/

Once again don’t visit the website, but it is funny to see how they are attacking blogspot weblogs. It would seem that they’ve compromised several of them as these are actual blog postings and not just comment spam. Interesting vector of attack here. If you’ve seen merrychristmasdude.com or uhavepostcard.com sent out in other ways than just E-mail or Blogspot, please drop me a line.

Well it looks like Christmas is upon us and the crew behind Storm Worm have already moved on to trying to take advantage of the New Year. The websites don’t have anything fancy yet, just trying to get you to visit uhavepostcard.com (don’t go!) link to happy2008.exe. Just the the following message:

Your download should begin shortly. If your download does not start in approximately 15 seconds,
you can click here to launch the download and then press Run. Enjoy!

Of course the click here message links to the aforementioned happy2008.exe. So there’s no happynewyeardude.com website yet or nice pictures, but this is what the update is for now. Also, surprisingly enough, no iframes looking to exploit the browser either..interesting. Still seeing disnisa.exe and disnisa.config as the malicious executable it drops and configuration file it creates — if you have these in your Windows directory you are infected.

E-mail Subjects seen so far (per isc.sans.org):

A fresh new year
As the new year…
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It’s the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Happy New Year to You!
Happy New Year to
Lots of greetings on the new year
New Year wishes for You

Enjoy your Christmas and try to stay virus free.

There’s a good chance that if you recently stumbled upon my website, you may have been searching for something related to “merrychristmasdude.com” — see more about that in my previous post. However, it seems like another group might be trying to take advantage of the Storm Worm activity, or may even potentially be the same group. When querying Google for the malicious merrychristmasdude.com website, you may also get some funny looking entries on various blogspot.com weblogs.

Each of these entries on the weblogs “merrychristmasdude.com” written all over them and attempt to get you to click on what looks like a YouTube video. Clicking this image actually pulls up a link for siski.cn. What do you see when you get to this website? You see another YouTube video that appears to be broken and a fake “Video ActiveX Object Error” message. This then entices you to run “install_video_3913230.exe” from shockbabetv.com to fix the issue. Of course this would be a bad idea. You might notice that shockbabetv.com is hosted on the IP address 85.255.119.93 on an IP range we have previously blogged about here. Beware as running this file will download yet even more malware from the same IP using the hostname creatonprojects.com.

Happy Holidays!

It would appear that the Storm Worm is back or at least someone ripping off its tactics. Instead of IP addresses being spammed out, we’re seeing a link to (and please don’t visit it) http://merrychristmasdude.com. This domain like the other Storm Worm domains is using fast flux DNS so that you might get your website served up from any one of thousands of compromised machines. It seems the Christmas version of the Storm Worm is looking to take advantage of both the holiday and those looking for sexy girls. Let’s break out some details real quick.

The E-mail:

Subject: Christmas Email

Yo,

Good times and holiday sheer are good, but this is great. Take 2 min out
of your day. You wont regret it.
http://merrychristmasdude.com/

The Website:

The title of the website is “Mrs. Clause Gone Wild” - pretty enticing isn’t it? If we want to find out what is keeping “Santa So Jolly” we are encouraged to click for a free download. The executable name is “stripshow.exe” and isn’t something you want to run. The website also has a nice little iframe pointed to /cgi-bin/in.cgi?p=100. This iframe link, as usual, is actually to a bunch of Javascript that looks to exploit your browser and infect your machine should you not choose to manually download and infect yourself.

Click the image below to see a larger screen shot of the website:

I was originally going to take the screen shot from Firefox, but the falling snow Javascript only seems to work properly with Internet Explorer. I suppose we know who they’re really targeting here.

The File:

If you save stripshow.exe to your hard drive and run it, the Storm Worm will begin to infect your computer. Funny enough, it’s not programmed to even delete itself, so stripshow.exe will remain where ever you left it after you run it. This is what you get after you run it:

disnisa.exe - This is the main executable and its visible in the Task Manager, you will find it in your Windows directory.
disnisa.config - This is the configuration file with an hashed peers list. If you’re interested in what an example configuration file looks like you can click here.

Shortly after running the file, it will reach out to synch up the correct time. Mine made NTP queries to time.windows.com. The system then proceeded to send thousands of UDP packets to different IP addresses using the source port from the disnisa.config and a very wide array of destination ports (presumably as a result of the peers list). It would seem that someone had angered the Storm Worm botnet as it appears it was being instructed to attack 151.201.219.40 with tons of ICMP Echo (ping) requests. It immediately then started to try spamming itself out to the rest of the world. Here’s a few more subject lines that were harvested:

“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“The Perfect Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”

Anyway, have a Merry Christmas and a Happy New Year - keep checking in as I’ll update with more stuff soon!

We recently blogged about exploits being released for the RTSP vulnerability Apple’s QuickTime. It did not take too long for some of these exploits to find themselves into the wild and taking advantage of unsuspecting users. There were a number of workarounds that could be done not to mention uninstalling. However, Apple has now released QuickTime 7.3.1 to deal with this issue. Please consider upgrading immediately if you have not done so already. Visit Apple’s website to download the latest:

http://www.apple.com/support/downloads/