Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, 1 July 2008

July Storm Worm gives us some Love

Posted on 14:35 by Unknown
The authors of the Storm Worm must have had some good success with their "love theme" for last month's Storm Propagation Spam, because they have decided to repeat the theme today.

Right about midnight the UAB Spam Data Mine began to receive spam messages for the new Storm Worm.

After being directed to a website that looks like this:



we followed the links on the site to receive some fresh malware. How fresh was it? The executables, which were named "winner.exe" and "mylove.exe" depending on whether you follow the banner ad or the text link, were uploaded to VirusTotal where we found these results:



At our initial scan, of 33 different AV engines, only FOUR of them knew this was a virus, and only two could label it correctly. (Currently we are up to EIGHT AV products properly identifying this as storm. My university machine, which runs McAfee Anti-Virus, does not detect it with a fresh signature update.)

We have seen a wide variety of subject lines in the spam so far . . .

All I need is You
Always on my mind
Can't forget You
Can't stay away from you
Crazy in love
Crazy in love with you
Deep in my heart
Deeply in love with you
Fallen for you
For you...Sweetheart!
Hate that I love you
Here in my heart
Hold you close
I give my heart to you
I knew I Loved You
I'll never stope loving you
I'll Never Find Someone Like You
I'll Still Love You More
I Love Being In Love With You
I love you so much!
In your arms
Just you and me
Lost In Love
Lost In Your Eyes
Love me tender, love me true
Lovin' You
Lucky to have you
Madly in love
Miss you with all my heart
Missing you
My heart belongs to you
My heart to yours
My heart was stolen
Not the same without you
Only Wanna Be With You
Somebody loves you
Stand by my side
Together forever
We belong together
With all my love
With you by mi side
You are always on my mind
You are in my heart
You are my world
You are the ONE
You feel up my senses
You have touched my heart
You make my world beautiful
You make my world special

The domain names which have been used so far are:

bestlovelyric.com
gonelovelife.com
greatadore.com
knowholove.com
loveisknowlege.com
lovekingonline.com
lovemarkonline.com
loveoursite.com
makeloveforever.com
makingadore.com
makingloveworld.com
musiconelove.com
shelovehimtoo.com
superlovelyric.com
theplaylove.com
wantcherish.com
whoisknowlove.com
wholovedirect.com
wholoveguide.com

(Yes, we actually have spam samples for every one of these domains. For most we have MANY samples. That's what the Spam Data Mine does!)

All of these domains seem to be registered with Chinese Registrar "www.bizcn.com".

They use the nameservers (ns# as the prefix on each of these, ns, ns1, ns2, etc.):

likethisone1.com
lollypopycandy.com
verynicebank.com

and their own domain (ns1.wholoveguide.com, etc.)

The latter nameserver, verynicebank.com, was also used during the Beijing Earthquake version of the storm worm, described by f-secure. It served as the nameserver for "grupogaleria.cn", which was used in the attack described by F-Secure in their blog on June 19th. It also served as the nameserver for "nationwide2u.cn", although we are not yet sure of the purpose of that domain name.


We are actively seeking termination of the last few domains now (most are already down).
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • A Dark and STORMy Night
    Just in time for the spookiest night of the year, the Storm botnet recruitment spam switched to a Halloween flavor. On the evening of Octobe...
  • TJX Update: The San Diego Indictments
    As promised, here is the update regarding the eight individuals charged in San Diego in connection with "the TJX bust". There wer...
  • Help stop the Osama bin Laden Videos on Facebook
    If you have teenage friends, or friends with poor security practices, you will probably notice that your wall has recently filled up with in...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Facebook Safety & Million Member Facebook Groups
    Two of my friends today invited me to join "Million User" facebook groups. Not that it matters really, but the two groups were: P...
  • First 2008 Presidential Spam Campaign?
    Does Ron Paul suddenly have a strong support base among foreign computer owners with strange names and multiple personalities? or is it poss...
  • 70 Romanian Phishers & Fraudsters Arrested
    On March 4th, FBI Director Robert Mueller was given a speech on Cybercrime to the RSA conference where he mentioned that: And we have worke...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ▼  July (12)
      • FBI & Facebook: Storm Worm gets it all wrong!
      • To Understand the War on Terror: Read This
      • Top News in Spam = Old News
      • Two Spammers Doing Time and One That Got Away
      • Amero to Replace Dollar? Could Storm Worm Be Right?
      • News Headlines Still Out of Control
      • Russian Cybercrooks, CoreFlood, and the Amazing Jo...
      • 22 More Romanians meet The Long Arm of the Law
      • Nuwar Looks for News Readers?
      • Storm Worm Salutes Our Nation on the 4th!
      • 7-11 ATM Hackers (?) - More details
      • July Storm Worm gives us some Love
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile