Storm Botnet Celebrates Birthday With Fireworks

Published: 2008-07-04
Last Updated: 2008-07-04 15:01:30 UTC
by Kevin Liston (Version: 2)
1 comment(s)

The Basics

I read about MX Logic's  prediction this morning (www.computerworld.com/action/article.do) that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure.  This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started.

There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe.

Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here: garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html  I'm sure that the list will continue to grow.  I'd recommend that you play it safe by blocking all attemtps to download fireworks.exe at your perimeter (your environment may vary, but I can't see any business justification for any executables named fireworks to be downloaded by my users-- I know "Kevin is no fun.")

Fireworks of Fireworks.exe

Russ McRee did a nice little write-up and visualization of the bots traffic.  I think it's prettier than what the lure-video promised.  It's available here: holisticinfosec.blogspot.com/2008/07/visualized-storm-fireworks-for-your-4th.html

So What?

A reader wrote in asking: "I am interested to know, how it is possible, that the storm worm is still able to be such a threat, that ISC needs to report about it?"

Great question.

My morning pre-caffein answer:

I don't consider these Storm Bot-net waves to be so much of a threat-- I consider them like an EICAR for an organization's incident response process.  If your security policies and incident response procedures are having difficulty with this kind of event, they both need some assistance and re-tooling.

 

Keywords: stormworm
1 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives