SpyWare BeWare! ASAP
March 27, 2017, 03:39:16 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Search Calendar Donations Login Register Chat  



Google It!
Pages: [1]   Go Down
  Print  
Author Topic: Storm Worm Steps It Up A Notch  (Read 3172 times)
0 Members and 1 Guest are viewing this topic.
TeMerc
ASAP VIP
Full Member
***
Offline Offline

Date Registered:May 31, 2004, 02:42:28 AM
Posts: 148



WWW
« on: October 16, 2007, 10:20:25 PM »

This first set of quotes is from the other day, and many other sites have been carrying it in one form or another. But Symantec, below that, is the first site I've seen to show these details and they ain't good.
Quote
Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.

What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!

Update from Randy V:
Quote
They are back in full force. A nearly complete turn over of the active list from yesterday:

190.128.76.140 200.127.196.112 201.235.46.246 24.126.26.18 67.190.138.189 68.113.78.23 68.57.236.13 68.76.98.212 69.230.199.160 70.243.202.40 70.244.102.159 74.139.41.221 76.100.35.250 76.226.146.196 76.73.135.17 85.187.86.249 88.74.161.197

and the currently active list:
209.102.175.61 219.115.223.181 24.178.197.7 24.178.99.202 24.210.99.223 24.235.140.159 61.84.67.116 67.64.104.4 68.76.98.212 69.151.234.219 71.79.181.218 72.128.41.234 72.128.61.29 72.160.184.227 74.140.168.34 76.216.62.73 76.226.146.196 76.99.89.48 77.197.44.76 84.174.112.145 84.42.164.6 89.112.20.242 98.195.153.198 98.197.63.176

Only 201.235.46.246, 68.76.98.212 and 76.226.146.196 are in common. 76.226.146.196 is probably only a proxy.

Baseball does sound like a ripe target. There has not been a page change yet.

Update 2 (from Nicholas):
Quote
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 208.67.222.222 and 208.67.220.220. For more information visit the OpenDNS website.


This is gonna get ugly....fast.
Quote
The encryption is trivial and isn't the only new thing found in this variant. It seems to have some new techniques for propagation. Firstly, it is able to scan the file system and drop an executable into any folder with at least one .exe file. Secondly, the worm is able to harvest email addresses from the file system and send spam to those addresses. Lastly, it is able to search for .htm, .html, and .php files and inject malicious IFRAME code into them. We believe that this part of the worm is still under development due to the buggy nature of the code we are seeing. The IFRAME tag isn't hard coded. We suspect this information must be coming from the P2P C&C.

We were able to use our favorite search engine to look for one of the known tags within the IFRAME and we saw some sites that were already infected. These sites each lead us to a fast-flux domain of the Storm worm. Considering how much this worm has evolved and where it is at currently, I think its time for us to escalate this worm to hurricane category.
[span style=\'color:blue\']Symantec Security Response Blog[/span]
Logged

TeMerc
ASAP VIP
Full Member
***
Offline Offline

Date Registered:May 31, 2004, 02:42:28 AM
Posts: 148



WWW
« Reply #1 on: October 17, 2007, 01:29:50 PM »

Quote
The storm update has finally come, with the most recent page offering the latest in peer to peer sharing technology.
The page advertises a p2p application called Krakin, which, among other things is said to be:

Easy to install, prevents tracking, has blogs and chat platforms, and video mail.

The download link points to krakin.exe, which is a p2p client - a p2p botnet client. The page isn't lacking the MPACK javascript either. I expect this page will stick around awhile. It looks very professional. I expect the blogger spam will pick up with this run.
 [span style=\'color:blue\']DSOG Blog w\Screen Shot[/span]
Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!