Another Storm Worm Varriant

If you have not noticed lately, the Storm Worm is in an ever changing email attempting to infect users.

The Basics of Storm Worm – an email gets sent out to ??? number of users with a link to a web server that attempts to compromise a users system. In the beginning it masked itself as a greeting card email, then it was a registration confirmation email.

Now it has taken a turn that I feel will be able to fool many users into clicking on it. The email hides the know Storm IP link with a youtube link. With the use of this site being so big, I am pretty sure that the botnet size will grow even bigger. The current size of the BotNet is different based upon the article read, but you can be assured that it is large and will continue to grow. One estimate has it at 250 K to 1 Million while another has it 5 to 10 million machines.

In case you are interested here are some sample subject lines and email body text. I have removed links of course.

Subject Lines

• LOL, dude what are you doing
• LOL, that is too cool…..
• oh man your nutz
• Where did you take that?
• ROTFLMAO, who is that your …
• I cant belive you did this

And for the body.

• What are you thinking…if pat sees this your divorced dude. :-{) check it out yourself
• this i not good. If this video gets to her husband your both dead. this is the link to it.
• You can see your face right in the video. its all over the web dude. take a look, lol…
• this i not good. If this video gets to her husband your both dead. go look at it…
• this i not good. If this video gets to her husband your both dead. check it out yourself
• What are you thinking…if pat sees this your divorced dude. :-{) see for yourself…

BBB Phishing

According to Secureworks and others, SANS and SunBelt, there are two different phishing scams making their way around email.

While both of them are extremely dangerous in their own respects, one of them I find very interesting. It is a highly targeted attack against executive level managers at companies. It uses an email with which claims to link you to documents pertaining to your case. Here are some of the highlights from Secureworks.

Highlights

• Highly-targeted attack – aimed at specific executive-level company managers
• Steals all interactive data sent from victim’s IE browser to remote websites
• Uses browser helper object to access form data before it is SSL-encrypted
• One stolen data repository located. As of Friday, May 25, there are 1, 400 victims and 145 megabytes of data in the repository. Approximately 70 megabytes of data is being collected daily.

The other email contains an attachment (RTF Document) when executed installs several pieces of malware onto the computer opening to attachment. The problem with this one is that for some reason it is easier to get virus through email content scanners with RTF documents.

For more information click on one of the reports above.

McAfee’s – Another Identity theft Story

This story shows how complicated virus writers and ID Theft criminals are getting. Multiple sites, multiple malware, and the targeting of specific countries. This one inparticular targeted users in France.

Read it here.

New type of dDoS Attack

In a recent alert from Prolexic Technologies they have uncovered a new type of dDoS attack. This attack uses p2p networks to perform the attack. This is very much different from a BotNet attack. see below

P2P attacks are different from regular botnet. There is no botnet and the attacker doesnt have to communicate with the clients it subverts. Instead, the attacker acts as a puppet master, instructing clients of large P2P file sharing hubs to disconnect from their P2P network and to connect to the victims website instead. As a result, 25k computers may aggressively try to connect to a target website.

Here is what they have to say about the solution:

Plugging up web servers isnt anything new, but the ability to block 150k+ attacking IP addresses is. While dc++ attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250k during the course of a big attack) means that this type of attack can overwhelm even functioning intrusion prevention systems (IPS).