So far we've seen subjects talking about everything from
White House hit by lightning, catches fire to
Italy knocked out of Euro 2008 and
Nokia unveils revolutionary new phone design. It's a pretty long list of different subjects — too long to list them all here so we've put them in a downloadable
TXT file instead.
All of the messages contain a link to different compromised sites which contain the same fake PornTube page. Once there the page displays an error message telling the user that they need to install a Video ActiveX component. The file that gets downloaded is spam trojan that sends out lots of e-mails with links pointing back to the compromised sites.
The list of compromised sites is pretty extensive as well, we've been able to identify 74 different sites so far whereof only a handful have been fixed.
One thing that's not really normal about this case — we first saw the file that gets downloaded,
video.exe, over two days ago and already added detection for it then. Why would they send spam promoting an old file? Well, we've seen malware writers do stupid things
before.
If you click on the link you are taken to a page which seem to contain a video that would show you these tragic events but if you click to see the video the site will ask you download and run a file called
beijing.exe, which of course is not a video at all but the Storm trojan.
One thing that makes it a bit more difficult for a user to notice that the e-mail is in fact a Storm message is the fact that the links point to valid domains instead of IP addresses. This is not new for Storm but unusual as most of their links point directly to infected IP addresses.
So far we've seen the following domains being used and they are all
fast fluxing:
biztech-co.cn
fconnorlaw.cn
ratedhot.cn
pacoast.cn
cadeaux-avenue.cn
tellicolakerealty.cn
activeware.cn
grupogaleria.cn
polkerdesign.cn
The
first time we saw Storm was when they sent out e-mails that reported violent storms going through Europe — that's why we named it Storm. At the time there were actually storms going through Europe.
The earthquake in Beijing has fortunately not happened. Speaking of Beijing and Storm, we are still expecting to see Storm, and other malware, use the Olympic games in August as a social engineering trick so be on the lookout for those in a few weeks.
From: Gsm Notification (gsmn92@yahoo.com)
Date: 11.06.2008 11:49
FROM THE
DESK OF THE PROMOTION OFFICER,
GSM MOBILE SWEEPSTAKES PROMO.
CALLE CLAUDIO COELLO 41, 28001 MADRID,
SPAIN.
UNITED KINGDOM ( UK ) / SPANISH ALLIANCE GSM SUBSCRIBERS PROMOTION.
To,
Mr. Xxxx Xxxxxxx .
Verification No: CN435-663-6
Winning No: +35840XXXXXX
Country: Finland.
Date: 11th June , 2008.Congratulations!!! On behalf of
UNITED KINGDOM(UK)/SPANISH GSM Staffs we hereby
Congratulates you on your Mobile Phone Serial Number has won you the Sum of
€170,000.00 (One Hundred and Seventy Thousand Euro) on the ongoing UNITED
KINGDOM(UK)/SPANISH GSM MOBILE PROMOTION . A Cheque has been issued under your name
( Xxxxx Xxxxxxx.) and it will be Deliver to your House Address through the Deplomate Parcel Officers.
PICTURE OF YOUR CHEQUE PARCEL CONSIGNMENT THAT WILL BE DELIVER TO YOU:
All the necessary documents that are require to receive your Winning Cash Prize are file along with your CHEQUE PARCEL CONSIGNMENT.
You are kindly advice to select any of the courier delivery service that will be suitable for you to recieve your CHEQUE in your door step.Beneficiaries are responsible for the courier delivery charge selected.The payment has to be make through the officer Name below.
COURIER DELIVERY OPTIONS
===========================================================
DHL COURIER
Courier Charges: €695.00
Insurance: �‚1,300..00 (PAID)
Administrative: € 579.00(PAIID)
Time of delivery: 72hours
Total: € 695.00 Euroo.
================================================
FEDEX EXPRESS
Courier Charges: € 595.00
Insurance: €1,500.00 (PAID)
Administrative: €160.00(PAID)
Time of delivery: 84hours
Total: ‚ 595.00 Euro.
================================================
UPS COURIER
Courier Charges: € 590.00
Insurance €1,300.00
Obviously you can't win a lottery if you haven't bought a ticket in the first place.
These guys just want you to pay for the "courier delivery" of your "cheque parcel".
There is no parcel.
Don't fall for this scam.
While the Storm botnet certainly isn't as big as it used to be, it's definitely one of the most persistent botnets we've ever seen… and we've not seen the last of it.
P.S. Nowadays Storm drops a filed called "
farkrish.exe" to the system… we wonder if that means something in some language?
| DHS PDF |
Posted by Mikko @ 12:14 GMT |
|
Mobile modding is a very dynamic scene. See our recent 
The backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine.