SecurityZone.org - Information Security Blog

It appears that CNN has been and will be the target of choice for Chinese hackers to show their displeasure with Western media coverage over “pro-independence protests in Tibet.” It would seem that some people in China have been offended by this coverage and are calling form attacks according to the website The Dark Visitor. They have provided details on several Chinese websites calling for attacks on www.cnn.com starting at 8:00 PM Beijing Time (8:00 AM EDT or 12:00 PM GMT) today April 19, 2008. However, according to another update on The Dark Visitor’s website, these attacks have seen been called off and are to be rescheduled.

According to a recent update on the CNN website, they have already observed several attacks that occurred this past Thursday. They took action to limit access to the site from certain regions and users in Asia may have experienced minor disruptions. These attacks appear to be either coincidental or preemptive in nature as they came two days earlier than called for. Arbor Networks is also monitoring this situation and has reported they have observed at least 36 different attacks thus far.

While the attacks have been “called off” for now, it will be interesting to see if they continue regardless — as scheduled or at a later date. It appears that attacks are expected and are being planned for. We can hope that they are unsuccessful regardless of the level of participation. We will update more if we learn anything new.

It appears that in addition to “supersameas.com”, the Storm Worm is now using and spamming itself out with several new domain names. These domain names are all with Chinese registrars and have been around since at least February but are just now starting to be used. In addition to serving up the executables for download, they are also attempting fire exploits at users that have the Internet Explorer browser. It is highly recommended that you do NOT visit these domains. Here is the list that is currently active:

biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

They are coming through via e-mail as always and continuing their assault against Blogger (blogspot.com) sites. Searching Google shows the standard “love” related campaign. However, there is at least one result on Google showing politically motivated e-mails that are being sent as well. At least one Spam reported on the Google group “news.admin.net-abuse.sightings” shows an e-mail with the subject “Cowen confirmed as next Irish premier Options” and a body of “Police fire on protesters in Nepal” followed by a link to one of the above domains.

If you visit these sites with IE, you will quickly find yourself being attacked via different ActiveX objects. The first set of exploits will attempt to download “load.exe” to the system. It will then ultimately redirect the visitor to “flow.php” which is full of obfuscated JavaScript. It is recommended that you block the above domain names and do not visit them.

There’s a new round of Storm Worm e-mails going around taking advantage of our favorite technique, showing people what looks like a video and telling them they’re missing a codec to view it. Only these guys are using a rather blunt name for the files this time: StormCodec.exe and StormCodec8.exe - Not very subtle for the “Storm” Worm.

Users are lured this time by e-mail that wants them to visit the fast-flux domain “supersameas.com“. You can protect yourself and your organization at this juncture by blocking this domain. Once on the site there is a video looking image in the middle with the following message:

The video and download links point to the aforementioned files. Tip: You don’t want Storm Codec on your PC! Thanks to Jose from Arbor Networks for pointing out the update to me, otherwise I probably wouldn’t have noticed this until much later.

As you might know, this blog runs on WordPress which already supports RSS feeds. It seems a few of you out there and several search engine/social media sites have already manually located the URLs to subscribe to my RSS feed. In an effort to be more RSS and Web 2.0 friendly, I am now signed up with Feedburner and have put direct link to my RSS feed on this website (continue reading). Hopefully this change is relatively seamless for those that are already subscribed.

For anyone that is not subscribed, you can now click the RSS Feed link on the right panel on my website or subscribe via http://feeds.feedburner.com/securityzone. If you check in on my site regularly or even infrequently and have an RSS reader, I’d recommend signing up. It’ll help you keep up with my sporadic update schedule that not even I can predict!

You might have received some e-mails in the last few hours that link to some strange looking blogspot.com pages. A recent example I received a few hours ago pointed me to hxxp://aflmdiovanrd.blogspot.com/. The webpage then wants you to click to download files named “love.exe” or “withlove.exe“, as previously seen with the Valentine’s Day Storm Worm attack.

They are now using a new domain name for their fast-flux network. Each of these URLs presently links to “superdrugtesting.com” followed by the aforementioned binary names. They haven’t used an actual domain name or Google’s Blogger service with these attacks since the Christmas/New Year time frame. Looks like they are back at it again with a new technique.

Here’s a screen shot of what the page looks like:

Be on the look out for these e-mails and consider blocking “superdrugtesting.com” from your networks if possible. Since this domain name is part of a fast-flux network, you must block it by the domain and not IP address as there are thousands of them.

Edit: Let me add that if you were infected with this run of the Storm Worm or the recent Valentine’s Day campaign they did, you would most likely have “aromis.exe” running in your taskbar (not hidden this time) and it will reside in your root WINDOWS folder.