Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Storm of the Day, Now with YouTube

Published: 2007-08-25
Last Updated: 2007-08-25 21:00:55 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

The latest variation of the Storm worm claims to be a youtube video. The link looks like a link to youtube, but actually points to a "numeric" URL like old storm variants. The downloaded binary is called "video.exe". Malware researchers: This time, the web server will make sure that you are using the right referrer.

The source code for the URL:

<a href="http://10.99.65.224/">http://www.youtube.com/watch?v=Ga4y9EQMuDe</a>

of course, this is just a sample... I replaced the first byte in the IP with 10 to protect the innocent again.

And a quick update. i forgot to post this tip form Robert Reid last time around. Sorry for the delay. Its still a useful tip:

(this ISA signature will block access to web servers that identify themselves as "nginx/0.5.17". This is actually a valid web server, but used very little aside from "Storm". As always, watch for false positives)

We use ISA server and http filters to block access to various web apps and it occured to me today to do the same thing with Storm. These instructions will work for both ISA 2004 and 2006 and are completely effective.

1. Right click your default access rule and select "Configure http".
2. Click the "Signatures" tab then "Add"
3. Drop down the "search in" box and select "Response headers"
4. In the http headers field type "Server:"
5. In the "Signatures" field put "nginx/0.5.17" (the web server type and version used by Storm)
6. Give the signature a name, click ok, click, apply.
The http filter will now block the download of applet.exe on all web proxy clients. Clients will receive the message:
"502 Proxy Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217)"
Keywords:
0 comment(s)
Diary Archives