Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 26 December 2007

A Stormy Christmas and a Botnet New Year

Posted on 09:46 by Unknown
The newest round of Storm Worm Propagation emails has come out, and its
again, largely undetected malware.

The main URLs we are seeing at this point are:

uhavepostcard.com <== (majority use this one)

happycards2008.com <== (all of these dated today)

There are more than 100 samples using these two URLs so far. The first
was received December 24th at 12:10 PM. The most recent was received
just moments ago.

- -------
Subjects include:

A fresh new year
A fresh new year...
As you embrace another new year
Blasting new year
Happy 2008 To You!
Happy 2008!
Happy New Year To (emailhere)
Happy New Year To You!
Happy New Year!
It's the new Year
Joyous new year
Lots of greetings on new year
Message for new year
New Hope and New Beginnings...
New Year Ecard
New Year Postcard
New Year wishes for you
Opportunities for the new year
Wishes for the new year

---------

A scan of the current malware on VirusTotal just now showed a 37.5%
detection rate. The version scanned was 142,337 bytes and had the MD5
checksum of:

44dc7307c81eb9fe0a0cf9147a9932ef

Notable non-detections include F-Prot, Kaspersky, McAfee, and Sophos

Those detecting named the malware as follows:

AntiVir = TR/Rootkit.Gen
Avast = Win32:Zhelatin-ASX
BitDefender = DeepScan:Generic.Malware.FMH@mmign.55A134E9
ClamAV = Trojan.Zhelatin
DrWeb = Trojan.Spambot.2386
Fortinet = W32/Tibs.G@mm
Microsoft = Backdoor:WinNT/Nuwar.B!sys
NOD32v2 = probably a variant of Win32/Fuclip
Panda = suspicious file
Prevx1 = Stormy:Worm-All Variants
Symantec = Trojan.Peacomm
Webwasher = Trojan.Rootkit.Gen

PREVX.com says this version was first seen on December 26th and has been
reported by one user in Spain. (That's where VirusTotal is, so I guess
that's me and others using VirusTotal.)

A Christmas version of the Storm Worm Propagation email may still be lurking in in-boxes as employees return from their holiday vacations. The Christmas version primarily used the malware domain:

merrychristmasdude.com

and used these subject lines. Visiting those sites now actually downloads the same "happy-2008.exe" malware as the New Year propagation uses, since these are in reality the same infected computers acting as the web hosts.

The Christmas subject lines were:

Christmas Email
Cold Winter Nights
Feel the Holiday Spirit
Find Some Christmas Tail
Ho Ho Ho.s
How.s It Goin
I love this Carol!
Jingle Bells, Jingle Bells
Looking for something hot this Christmas
Merry Christmas From your Secret Santa
Merry Christmas To All
Mrs. Clause
Mrs. Clause Is Out Tonight!
Santa Said, HO HO HO
Seasons Greetings
The Perfect Christmas
The Twelve Girls of Christmas
Time for a little Christmas Cheer.
Warm Up this Christmas
Your Secret Santa

The domain names for all of these are set up in a "round robin". For instance, I use "nslookup" to query "merrychristmasdude.com" ten times in a row and get the following list of IP replies:

66.78.160.196
24.126.208.180
86.125.107.157
70.249.186.39
79.172.83.168
91.142.197.135
62.43.161.233
78.60.109.65
91.122.89.214
75.58.60.145

A much longer list of IP addresses which answer queries for all three of these domain names:

12.207.192.66
12.215.209.21
12.219.197.139
12.227.173.1
24.165.167.150
24.181.224.249
24.181.42.5
24.182.40.236
24.2.46.250
24.210.99.223
24.3.160.88
24.95.77.206
58.226.226.6
58.8.20.129
59.112.81.137
59.113.187.86
59.12.125.252
59.15.71.112
59.3.40.145
59.86.244.147
59.92.78.2
59.93.39.233
59.95.191.39
60.249.4.119
60.50.100.42
60.53.25.73
60.56.115.109
60.9.222.137
61.15.254.115
61.32.177.59
61.72.147.153
61.80.150.87
62.65.232.246
64.85.228.164
65.189.233.73
65.31.39.88
66.142.52.23
66.31.113.211
67.164.126.186
67.173.35.121
67.177.191.148
67.181.90.28
67.186.43.176
67.187.30.81
68.127.51.120
68.167.71.243
68.187.46.125
68.204.186.99
68.248.237.55
68.54.157.173
68.54.234.64
68.63.133.158
68.79.7.249
68.80.244.129
68.81.122.156
68.81.195.121
69.154.137.176
69.183.216.161
69.215.175.83
69.225.12.176
69.226.25.20
69.247.40.180
69.248.212.75
69.254.83.191
70.115.222.172
70.126.163.174
70.243.43.6
70.245.14.188
70.249.186.39
71.200.198.181
71.205.208.104
71.224.88.232
71.227.249.98
71.230.219.209
71.230.66.163
71.237.134.222
71.86.54.0
71.96.13.37
72.40.18.255
72.48.192.221
72.8.101.213
74.128.121.44
74.138.172.43
74.164.251.210
74.75.193.213
75.131.212.194
75.132.160.97
75.21.75.238
75.35.110.9
75.35.252.137
75.37.39.88
75.50.232.119
75.61.64.23
75.68.231.167
75.73.216.43
75.85.190.206
76.107.42.125
76.111.115.55
76.119.119.58
76.15.46.122
76.171.99.77
76.173.57.101
76.212.92.117
76.22.76.57
76.229.114.65
76.243.202.32
76.25.147.99
76.254.139.102
76.65.181.160
76.68.144.93
77.41.47.214
77.48.16.49
77.57.127.78
77.99.143.61
78.107.182.172
78.107.190.69
78.92.91.186
79.112.4.123
79.120.35.238
79.120.56.38
79.126.167.63
79.139.178.64
79.165.162.240
79.182.0.73
80.73.89.69
81.190.78.83
81.210.133.54
82.1.108.104
82.181.41.160
82.233.232.162
82.79.129.214
83.5.77.234
83.54.12.240
84.10.43.106
84.126.102.227
84.31.89.195
85.180.66.14
86.102.1.205
86.125.170.161
86.61.66.60
86.63.107.2
87.207.117.102
87.8.161.149
88.156.9.155
88.164.68.15
89.110.51.47
89.137.201.205
89.161.22.219
89.178.170.110
89.20.119.182
89.215.180.33
89.228.40.58
89.36.102.75
89.38.163.176
90.150.126.235
90.150.215.50
90.157.92.141
91.106.18.142
91.122.147.67
91.122.19.127
91.18.246.67
98.194.162.228
98.196.29.67
99.145.19.221
99.241.144.189
117.199.240.218
121.1.85.140
121.124.15.53
121.146.205.123
121.150.127.150
121.158.220.126
121.162.87.237
121.165.21.31
121.172.10.95
121.173.45.111
121.179.107.71
121.246.163.37
121.246.86.244
121.247.143.131
121.247.165.149
121.247.66.110
121.96.253.35
122.164.35.171
122.202.44.89
122.32.53.35
122.36.84.38
122.50.173.172
122.99.16.4
123.201.0.167
123.202.81.199
123.203.20.137
123.215.177.241
123.236.114.63
124.120.35.98
124.120.36.238
124.125.116.171
124.199.33.113
124.244.198.114
124.82.112.191
125.137.205.157
125.208.107.18
125.233.65.153
125.235.36.97
125.24.82.14
168.243.219.228
190.17.101.223
190.21.9.139
195.189.153.21
196.217.102.238
200.84.241.161
200.94.163.191
201.172.192.141
201.222.110.245
201.231.140.173
201.241.57.55
201.255.181.193
201.27.179.128
203.223.220.24
203.255.10.96
206.45.91.55
209.102.185.215
210.105.165.204
210.109.244.10
211.109.96.223
211.195.3.79
211.201.18.155
211.204.48.194
211.54.167.69
213.169.180.110
217.123.175.129
218.156.143.96
218.174.73.42
220.118.185.247
220.121.81.72
220.19.166.13
220.225.184.83
220.76.90.93
220.78.225.208
221.147.22.23
222.114.18.22
222.238.245.88
222.98.228.236

Good luck, and thanks for any help terminating the three domain names in question:


Merry Christmas and Happy New Year, CyberCrime Fighters . . .

_-_
gary warner
http://www.cis.uab.edu/forensics/
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ▼  2007 (31)
    • ▼  December (3)
      • A Stormy Christmas and a Botnet New Year
      • "Google Referrer Only" malware sites
      • Off Topic: Browser and OS Trends
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile