Another Storm Worm Varriant

If you have not noticed lately, the Storm Worm is in an ever changing email attempting to infect users.

The Basics of Storm Worm – an email gets sent out to ??? number of users with a link to a web server that attempts to compromise a users system. In the beginning it masked itself as a greeting card email, then it was a registration confirmation email.

Now it has taken a turn that I feel will be able to fool many users into clicking on it. The email hides the know Storm IP link with a youtube link. With the use of this site being so big, I am pretty sure that the botnet size will grow even bigger. The current size of the BotNet is different based upon the article read, but you can be assured that it is large and will continue to grow. One estimate has it at 250 K to 1 Million while another has it 5 to 10 million machines.

In case you are interested here are some sample subject lines and email body text. I have removed links of course.

Subject Lines

• LOL, dude what are you doing
• LOL, that is too cool…..
• oh man your nutz
• Where did you take that?
• ROTFLMAO, who is that your …
• I cant belive you did this

And for the body.

• What are you thinking…if pat sees this your divorced dude. :-{) check it out yourself
• this i not good. If this video gets to her husband your both dead. this is the link to it.
• You can see your face right in the video. its all over the web dude. take a look, lol…
• this i not good. If this video gets to her husband your both dead. go look at it…
• this i not good. If this video gets to her husband your both dead. check it out yourself
• What are you thinking…if pat sees this your divorced dude. :-{) see for yourself…

4 New Browser Vulnerabilites

Yesterday Michal Zalewski posted to Full-Disclosure 4 new browser based vulnerabilities. Normally I would not post about browser based vulnerabilities but these are worth mentioning. I can see how the bad guys would use each one of these for purposes of performing fraud on our members.

1. Title : MSIE page update race condition (CRITICAL) Impact : cookie stealing / setting, page hijacking, memory corruption
2. Title : Firefox Cross-site IFRAME hijacking (MAJOR) Impact : keyboard snooping, content spoofing, etc
3. Title : Firefox file prompt delay bypass (MEDIUM) Impact : non-consentual download or execution of files
4. Title : MSIE6 URL bar spoofing (MEDIUM) Impact : mimicking an arbitrary site, possibly including SSL data

I hope i am wrong, but if the bad guys start to use these they would be able to steal many login credentials for online banking applications, e-commerce sites, etc….

This is being covered by Computerworld and by the Sans Incident handlers on duty.

BBB Phishing

According to Secureworks and others, SANS and SunBelt, there are two different phishing scams making their way around email.

While both of them are extremely dangerous in their own respects, one of them I find very interesting. It is a highly targeted attack against executive level managers at companies. It uses an email with which claims to link you to documents pertaining to your case. Here are some of the highlights from Secureworks.

Highlights

• Highly-targeted attack – aimed at specific executive-level company managers
• Steals all interactive data sent from victim’s IE browser to remote websites
• Uses browser helper object to access form data before it is SSL-encrypted
• One stolen data repository located. As of Friday, May 25, there are 1, 400 victims and 145 megabytes of data in the repository. Approximately 70 megabytes of data is being collected daily.

The other email contains an attachment (RTF Document) when executed installs several pieces of malware onto the computer opening to attachment. The problem with this one is that for some reason it is easier to get virus through email content scanners with RTF documents.

For more information click on one of the reports above.

McAfee’s – Another Identity theft Story

This story shows how complicated virus writers and ID Theft criminals are getting. Multiple sites, multiple malware, and the targeting of specific countries. This one inparticular targeted users in France.

Read it here.

What a month for Phishing

The Antiphishing working group in it’s activity trends report that the number of unique phishing websites rose by nearly 35,000 compared to the month of March.

In the report they indicate that this is due to the phishers placing thousands of Phishing urls on one domain. Here is the report.

Another site www.phishtank.com show between the month of April compared to the month of March showed a 100% increase.

Another good read on this topic is the Security Fix blog posting located here.