During the last couple of days the folks behind Storm Worm have started using several new, and highly descriptive domains. It seems they've also changed the layout as well, and despite that the exploit IFRAME is now gone, automatically registered Blogspot accounts are also disseminating links to the domains. Some of these have been registered as of recently, others have been around in a blackhat SEO operation for a while and are getting used as a foundation for the campaign. These are all known Storm Worm fast-fluxed domains for the time being :
merrychristmasdude.com
happycards2008.com
uhavepostcard.com
newyearwithlove.com
newyearcards2008.com
_happycards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com
_uhavepostcard.com
Administrative, Technical Contact
Contact Name: Kerry Corsten
Contact E-mail: kryport2000 @ hotmail.com
_newyearwithlove.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com
_newyearcards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com
Moreover, Paul is also pointing out on the use of Blogspot blackhat SEO generated blogs in this Storm Worm campaign. In case you remember, the first one was relying on the infected user to first authenticate herself, and therefore authenticate for Storm Worm to add a link to a malware infected IP. Sample Blogspot URLs :
cbcemployee.blogspot.com
canasdelbohio.blogspot.com
1dailygrind.blogspot.com
traceofworld.blogspot.com/2007/12/opportunities-for-new-year.html
jariver.blogspot.com/2007/12/opportunities-for-new-year.html
antispamstore.blogspot.com/2007/12/opportunities-for-new-year.html
As for the complete list of the email subjects used for the time being, here's a rather complete one courtesy of US-CERT.
With end users getting warned about the insecurities of visiting an IP next to a domain name, this campaign is relying on descriptive domains compared to the previous one, while the use of IPs was among the few tactics that helped Storm Worm's first campaign scale so with every infected host acting as an infection vector by itself. And despite that I'm monitoring the use of such IPs from the first campaign in this campaign on a limited set of Storm Worm infected PCs, the next couple of days will shred more light into whether they'll start using the already infected hosts as infection vectors, or remain to the descriptive domains already used.
Keep riding on the storm.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Friday, December 28, 2007
Riders on the Storm Worm
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment