Now that Christmas is here, the Storm Worm is moving on to New Years.
Overview and Blocking Information
Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.
The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.
Seen So Far:
A fresh new year
Thanks to David F for the initial report.
We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.
Under The Hood
As with 'merry christmas dude.com', this domain appears to be registered through nic.ru. It also appears to be hosted on the same fast-flux network , now with at least 8000 nodes.
If you go to that web site, currently the malware file is 'happy2008.exe'. We will add more analysis details throughout the day as we get them.
David Goldsmith (dgoldsmith -at- sans.org)
Dec 25th 2007
1 decade ago