Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Deja Vu: Valentine's Storm

Published: 2008-01-16
Last Updated: 2008-01-16 10:26:18 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

Yesterday we started receiving another wave of Storm e-mails, this time exploiting our love: you got it, Storm started exploiting Valentine’s Day. It looked like they missed the ball for Christmas but now they are certainly back.

The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address (in other words, it should be easy to detect this with anti-spam tools).

Once a user visits the web site he is served with a nice web page (see below) and a link to download an executable – same as with previous versions.

Valentine Storm

So is there anything new about this variant of Storm? Not really. The social engineering attack is the same as before. Actually, there are a lot of similarities with Storm’s Valentine’s attack last year (2007). The subjects are almost the same and the only difference is that last year Storm sent itself as an attachment.

Storm’s packing/obfuscation techniques are still up to the task – when I downloaded the first variant only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works.

Following the pattern we can probably expect Super Bowl being exploited soon as well.



2 comment(s)

New MS Excel vulnerability could allow remote code execution

Published: 2008-01-16
Last Updated: 2008-01-16 02:54:29 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Microsoft has just released an advisory and blog entry on a newly discovered vulnerability in MS Excel products. The vulnerability is, according to the blog, already actively exploited by targeted attacks.  Excel 2003SP3 and Excel 2007 are not affected, but most other versions are.

0 comment(s)

Targeted attacks: behind the media reports

Published: 2008-01-16
Last Updated: 2008-01-16 02:53:31 UTC
by Maarten Van Horenbeeck (Version: 2)
0 comment(s)

Between Christmas and New Year, I spoke at the Chaos Communications Congress in Berlin on targeted attacks. Some basic findings included:

  • Office applications are the most common targets, but utilities such as archivers that are seldom updated by the user are also commonly exploited;
  • Control servers used in the attack are generally compromised boxes themselves. The connection occurs based on a DNS lookup, not an IP address. This allows the attackers to reuse an infected machine even when the original control server is cleaned by its owners. These control servers sometimes contain port forwarders connecting to another machine, often in a different jurisdiction;
  • Initially, attacks were disabled and enabled remotely by "parking" the control hostname to localhost ( As this is a bit obvious, newer code contains checks for specific, fake IP addresses upon which the attack is temporarily disabled. Parking addresses are generally easy to spot manually, such as;
  • Hostnames are reused over several months but appear to be target-specific, while compromised IP addresses are potentially shared between targets;
  • "Memes", such as funny documents that are distributed on mailing lists, are sometimes redistributed by attackers, but containing malicious code. Users are familiar with the document being sent to them and are likely to open it.

A number of people approached me afterwards telling me that most of what they learned about the issue so far came from the media, not from their peers. When I started studying the phenomenon, my approach was to contact groups that had reported very similar attacks, such as the Falun Gong community. Information and samples from these groups allowed me to gain a better understanding of the attacks. 

Targeted attacks evolve based on economies built around the information that is targeted. When information is valuable to the attacker, he will take commensurate effort to compromise it. Depending on the value, this encourages the use of novel, untested techniques. Such techniques tend to be unreliable and fail disproportionately. Failures can be detected, understood and shared. This type of sharing is part of what I refer to as security intelligence.

If you’re worried about this type of compromise, join one of the many information sharing mechanisms your industry may offer: the United States has a fair amount of ISACs (Information Sharing and Analysis Centers), and the UK offers its WARPs (Warning, Advice and Reporting Points). These organizations allow you to share information and still rest assured it is anonymized appropriately.

We are also very interested in hearing about your experiences. The Storm Center takes your confidentiality very seriously, so please do identify what we can post and what should remain private or should only refer to as generic techniques. We appreciate your contribution.

You can download the CCC presentation here or read up on the issue further here.

Maarten Van Horenbeeck

0 comment(s)
Diary Archives