April Fool's Day & Storm

Monday, March 31. 2008
A new "joke" from the Storm Worm botnet right before April Fool's Day.

Consistent with their past behavior on having new propagation schemes right before important dates of national interest (start of NFL season, Halloween, Christmas Eve, ...), the botnet started to use a new social engineering theme right before April Fool's Day. The websites offer the actual bot binary with three different filenames (foolsday.exe, funny.exe, and kickme.exe), but they seems to actually be the same binary. I did not observe any drive-by download attack, thus it seems like they solely rely on social engineering - so don't fall for this hoax :-)
Posted by Thorsten Holz in malware at 22:45 | Comments (0) | Trackbacks (0)

CAPTCHA fun

Thursday, March 13. 2008
Websense had a few weeks ago a story on "Google’s CAPTCHA busted in recent spammer tactics". The basic idea is that the attacker automatically signs up for freemail accounts (e.g., Google or live.com) with the help of certain malware. During the registration process, the attacker needs to solve a CAPTCHA. This can be done for example with the help of humans which are paid for this task. Another option is to use humans who want to access a certain service, e.g., a porn website. This is the cheaper option, and presumably also effective. An example of such a CAPTCHA attack is currently available at gift-vip.net. Caution: this is not work-safe and do not open it if you do not want to see adult content. I also created a short movie which illustrates this process. The movie is also available as .mov and .swf file.

Thanks a lot Nick FitzGerald for this tip!

[Update]: Please be careful when opening the actual site since it also contains a malicious iframe.
Posted by Thorsten Holz in malware at 12:16 | Comments (0) | Trackbacks (0)

loads.cc vs. CWSandbox

Wednesday, March 12. 2008
Sunbelt covered the 3D screensaver spam and the background of this scam in some detail. Dancho Danchev also blogged about some details of this incident. And here are my 2 cent of info:

The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:

http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe

This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?

More complete info: cwsandbox.org.
Posted by Thorsten Holz in malware at 18:00 | Comments (0) | Trackbacks (0)

Postcards from Storm

Monday, March 3. 2008
Storm Worm changed its propagation scheme again. It now sends out spam mails pointing to fake "ecards". The spammed site contains just an image and points to a binary called postcard.exe. A quick analysis shows that the core functionality has not changed at all.
Posted by Thorsten Holz in malware at 07:28 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 4 entries)