January 29th, 2008 by Steven Adair
I’m not going to cover everything in this post, but rather just point to the one over at the Shadowserver site. It seems that we’ve caught Storm Worm doing some trickery in its rotation of image files it uses for pump and dump stock spams. This time it was targeting the OTC stock CHYA. In a similar nature to how it continually makes changes to the binaries, the network also frequently changes the stock spam images.
You can read more about this by visiting http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080128
Posted in Spam, Storm Worm | No Comments »
January 27th, 2008 by Steven Adair
Shaun from honeynet.org.au (and Shadowserver) recently released Version 1.0 of his Tracker Tool that is designed to determine if certain domains are in fact Fast Flux domains and track their unique IPs on top of that. This first version has a few kinks to be worked out and might not have the clearest README in the world at the moment, but it does work pretty well. There will most likely be another release in the near feature that eliminates a few of the kinks, has new features, and will be crystal clear on how exactly to use and setup everything. Just shoot Shaun an e-mail if you end up grabbing it and have any trouble.
You can find the latest version of the Tracker Tool at http://honeynet.org.au/?q=node/10
Right now it’s helped discover over 40,000 unique IPs associated with the current fast flux Storm Worm domain ibank-halifax.com in the last few weeks. This is definitely down from the approximate 100,000,000,000,000 (Note: number exaggerated) IPs that were seen with the Storm Worm fast flux domains back in September-August of last year.
Posted in Storm Worm, Random | No Comments »
January 8th, 2008 by Steven Adair
We have noticed some interesting activity by the Storm Worm crew lately. It seems they have continued to move their criminal empire into targeting banking information. This time there are two new domains:
i-barclays.com
i-halifax.com
These domains are on the fast flux network and hosting phishing scams looking to rip you off. There’s a good brief posting about here from us at Shadowserver:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080108
It seems Fortinet had initially picked it up and SC Magazine has run a pretty good article with them that can be found in the above URL. Be on the look out for these and others that follow.
Posted in Phishing, Botnets, Spam, Storm Worm | No Comments »
