Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense, as well as client side exploits next to centralizing all the participating domains on a single nameserver.
Domains used :
wapdailynews .com
smartnewsradio .com
bestvaluenews .com
toplessnewsradio .com
companynewsnetwork .com
goodnewsgames .com
marketgoodnews .com
fednewsworld .com
toplessdailynews .com
stocklownews .com
DNS servers :
NS.BRPRBGOK6 .COM
NS2.BRPRBGOK6 .COM
NS3.BRPRBGOK6 .COM
NS4.BRPRBGOK6 .COM
NS5.BRPRBGOK6 .COM
NS6.BRPRBGOK6 .COM
Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :
Administrative Contact:
Lee Chung lee@likethisone1.com
+13205897845 fax:
1743, 34
Los-Angeles CA 321458
us
This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :
ns2.verynicebank .com
ns3.verynicebank .com
ns.likethisone1 .com
ns2.likethisone1 .com
ns3.lollypopycandy .com
ns4.lollypopycandy .com
Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them.
No comments:
Post a Comment