The latest variation of the Storm worm claims to be a youtube video. The link looks like a link to youtube, but actually points to a "numeric" URL like old storm variants. The downloaded binary is called "video.exe". Malware researchers: This time, the web server will make sure that you are using the right referrer.
The source code for the URL:
of course, this is just a sample... I replaced the first byte in the IP with 10 to protect the innocent again.
And a quick update. i forgot to post this tip form Robert Reid last time around. Sorry for the delay. Its still a useful tip:
(this ISA signature will block access to web servers that identify themselves as "nginx/0.5.17". This is actually a valid web server, but used very little aside from "Storm". As always, watch for false positives)
We use ISA server and http filters to block access to various web apps and it occured to me today to do the same thing with Storm. These instructions will work for both ISA 2004 and 2006 and are completely effective.
The http filter will now block the download of applet.exe on all web proxy clients. Clients will receive the message:
"502 Proxy Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217)"I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019
Aug 25th 2007
1 decade ago