Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Anticipated Storm-Bot Attack Begins

Published: 2007-12-24
Last Updated: 2007-12-24 19:37:24 UTC
by Kevin Liston (Version: 4)
0 comment(s)

Overview and Blocking Information

Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.

The message comes in with a number of subjects:

 

Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

Updated subjects:
“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”

The body is something similar to:

 

do you have a min?



This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-)

http://merry christmasdude.com/

 

[the domain was interrupted for your protection]

Thanks Kevin for the initial report.

I recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.

Under The Hood

The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes.  Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control.

Russ has a nice and tidy analysis available at: http://holisticinfosec.blogspot.com/2007/12/storm-bot-stripshow-analysis.html
and Jose Nazario has a nice one at http://asert.arbornetworks.com/2007/12/storm-is-back-dude/

 

Speaking of Blogspot

If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)

Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.


Kevin Liston (kliston -at- isc.sans.org)

Keywords:
0 comment(s)
Diary Archives