Monday, December 24, 2007

Spreading Malware Around the Christmas Tree

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

Name Server: NS.MERRYCHRISTMASDUDE.COM
Name Server: NS10.MERRYCHRISTMASDUDE.COM
Name Server: NS13.MERRYCHRISTMASDUDE.COM
Name Server: NS9.MERRYCHRISTMASDUDE.COM
Name Server: NS11.MERRYCHRISTMASDUDE.COM
Name Server: NS3.MERRYCHRISTMASDUDE.COM
Name Server: NS4.MERRYCHRISTMASDUDE.COM
Name Server: NS6.MERRYCHRISTMASDUDE.COM
Name Server: NS2.MERRYCHRISTMASDUDE.COM
Name Server: NS5.MERRYCHRISTMASDUDE.COM
Name Server: NS7.MERRYCHRISTMASDUDE.COM
Name Server: NS8.MERRYCHRISTMASDUDE.COM
Name Server: NS12.MERRYCHRISTMASDUDE.COM

The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi-bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit attempt to load. Current binary (stripshow.exe) has an over 50% detection rate 17/32 (53.13%). Stay tuned, AV vendors will reach another milestone on the number of malware variants detected, despite that compared to the real, massive Storm Worm campaign this one is fairly easy to prevent on a large scale.

Related info - SANS, ASERT, TEMERC, DISOG.

No comments:

Post a Comment