Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out.  Granted, new Storm Worm variants are nothing new.  They come out all the time.  I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.

The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).

This is a screen shot of what the site looks like:



Clicking on the banner at the top of the page attempts to download a file named winner.exe.  Clicking the "Click Here" link attempts to download mylove.exe.

Here are the virustotal.com results for winner.exe and mylove.exe:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	-
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	-
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	Suspicious file
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	Trojan.Peed.JLV
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	Email-Worm.Win32.Zhelatin.zy
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	-
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon.  The IPs that are hosting the infected URLs are being rotated using fast flux.  In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times. 

This is not likely to be the only time this week that we hear from Storm.  Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge.  Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless. 

Expect to see some revisit of Storm sometime later this week.  It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.

Jason Michael Milmont, the author of the Nugache worm, and the creator of what came to be known as "Fast Flux" has plead guilty to one count of unlawfully accessing computers, a felony, in a Wyoming federal court.

Fast Flux is an abuse of the domain name system (DNS) by which botnets will continually rotate the IP addresses associated with a malware infected web site to evade detection and forensic analysis.  This constant mobility makes the botnet very difficult to shut down.

There is also an evasion tactic called "Double Flux" which is similar to Fast Flux in that it will not only rotate a domain's responding IP addresses, but also that domain's authoritative name servers.  The reason that it is called "Fast" flux is because these IP addresses will rotate as often as every couple of minutes.
The Nugache worm was used to launch distributed denial of service (DDoS) attacks as well as steal personal information such as credit card numbers from the computers that were infected with Nugache.  It has been estimated that controlled up to as many as 15,000 on his botnet.

Under the terms of his deal Milmont has agreed to pay approximately $74,000 in damages and faces up to five years in federal prison. 

In my opinion, this story is only significant because of Milmont's contribution to the botnet community with how his Nugache worm used peer-to-peer networking technology and fast flux in order to create a fully redundant, interconnected network to prevent his botnet from easily being shut down.  The size of the Nugache botnet (about 15,000 computers) pales in comparison to some of the botnets that we are seeing today, but the work done by Milmont paved the way for worms like Storm which heavily relied on fast flux to stay alive.

According to this TechTarget article, Microsoft has a few tools that they recommend people use to address SQL injection attacks.

Don't be fooled by what is meant by "address" in this context.  Let's be clear on what these tools do and what they don't do.

They DO:

-- Scan web sites and identify potential SQL injection vulnerabilities.  Even Erik Peterson, a senior director of products for HP's application security center states that Scrawlr (one of the tools identified) falls short the functionality provided many commercial tools.
-- Analyze source code for potential vulnerabilities, however the source code analyzer that is recommended only supports ASP code written in VBScript. 

Seems like we are quickly narrowing down the number of web sites these recommended tools will even function on.

They DON'T:

-- Provide protection against any attacks
-- Solve the real root of the problem which is ensuring programmers are following safe coding practices to protect the sites that they develop from SQL injection vulnerabilities. 

If you use any of these tools that Microsoft is recommending, don't be lulled into the false sense of security that they can provide.  As we can see, many free scanning tools have all kinds of limitations that will only provide the most basic of testing or only work provided that very specific technology conditions and phases of the moon exist. 

I am glad to see that Robert Westervelt, the author of the article linked at the beginning of this post wrote up this clarification today.  I like Robert and actually did an interview with him back in January related to PDF spam which posted to his blog, but I think his original article not only missed the mark, but could very well have generated a lot of confusion with junior security researchers and management folks on effective ways to detect SQL injection vulnerabilities.

The July 2008 edition of PC Magazine has a short story on page 92 titled "Hacked Through the Heart" which references a paper published at secure-medicine.org discussing the possibility of hacking the human body through wireless reprogrammable Implantable Medical Devices (IMDs) such as pacemakers.  These attacks could lead to effects such as changing the settings on the pacemaker or even disabling it entirely!  The paper also goes into detail as to how some of these attacks would take place.

Although the paper mentions that as of right now these are theoretical scenarios, the more important point to remember is that these IMDs are driven by software and "where there is software, there are vulnerabilities" and "where there are vulnerabilities, there will be exploits."  I could easily envision a scenario where this creates a Cyber Hitman of the Future where hits are carried out in such a way that they would be virtually untraceable and if executed correctly could have an elapsed time effect where the full damage of the attack may not materialize for days, weeks, or even months after it initially occurred.

On a lighter note, this certainly gives new meaning to the term "Insider Threat" (I'm funny on a Friday :) )

Worm Alert!

We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component.  Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours).  From what we can tell thus far the malware appears to be related to the Srizbi botnet.

There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories.  Here are some example subject lines that we have seen so far:

Batman latest movie bombs at box office
Britney found hanged in locker room
Celtics disqualified from NBA title
China Earthquake claims 1 million lives
Dan Brown's latest novel
David Cook American Idol - latest NEW single
Donald Trump missing, feared kidnapped
Egypt Giza pyramids rocked by massive earthquake
Eiffel Tower damaged by massive earthquake
Eiffel Tower suffers structural damage, collapse possible
Find out about Harry Potter's last novel
Ford unveils latest 2 door design hatch
Get Smart -- movie premiere
Get star wars photos
Get the latest discount plan from Ford Cars
Great Wall of China damaged by earthquake
Hiliary admits past failures
Hillary Clinton reveals husband's scandal secrets
Italy knocked out of Euro 2008
Las Vegas Hotel caught in fire
Lastest! Obama quits presidential race
London rocked by gas attack, army on high alert
Love Guru sneak previews here
Man wakes up from 40 year coma
Nokia unveils revolutionary new phone design
Obama suffers setback in polls due to sex secrets
Obama withdraws from elections
Oprah found sleeping the streets
Osama Bin Laden caught finally
Paris Hilton found to be gay
Saddam Hussein found dead
Star Trek star dies at age 79
Statue of Liberty struck by lightning, catches fire
Stonehenge damaged by massive earthquake
Top 10 movies of all time
Top comedy downloads
Top film from the Cannes
Turner Empire poised for bankruptcy file
Usher and Rihanna making out
Watch movie premieres now
White House hit by lightning, catches fire
Windows Vista URGENT upgrade installation

The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control.  Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):

hxxp://envol-restaurant.com/r.html

hxxp://spizarnia.nazwa.pl/r.html

hxxp://wandea1.wandea.org.pl/r.html

Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:

If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:

At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window.  The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).

Keep on the lookout for these as they are currently being distributed in fairly high volumes. 

*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour.  Looks like this one hit quick and is now tailing off.

Starting yesterday (June 18th) we began seeing evidence of a new Storm Worm variant claiming news of a new Earthquake in China. 
Some of the subject lines associated with these messages include:

2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Death toll in China exceeds 1000000
Death toll in China is growing
Earth tremors in China is going on
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
Terrible earthquake devastated Beijing
The capital of China were collapsed by earthquake
The most powerful quake hits China       
Toll mounts in China earthquake
Unprecedented earthquake in China

This is a pretty typical tactic for Storm: ride on the wave of current events as a social engineering lure to get users to click on links in emails.  This variant is primarily targeting the Chinese earthquakes, but there is also a mention of the Beijing Olympics as well stating that the Olympics will be "under the threat." 

If a user clicks the link within one of these emails, they are not immediately infected with Storm.  They will be directed to a web site (all of the ones that we have seen so far have a .cn TLD) that looks like this:


It is important to note that this is not a real video player, but clicking the player will launch a file named beijing.exe which will infect your PC.

Volume of this variant is pretty low.  We are currently seeing on the order of about 900 per hour in our Threat Operations Center.  Expect to see similar stories of this nature threatening the safety of the Olympics as well as its participants and visitors as the event gets closer. 

Last week I had the privilege of attending the 13th General MAAWG Meeting in Heidelberg, Germany (I serve as the co-chair of the Zombie/Botnet Subcommittee with my friend Ken Simpson from Mailchannels). 

The MAAWG conferences are a great opportunity to meet and talk with some of the best minds in the anti-spam industry, discuss anti-spam tactics, operational best practices (what works and what doesn't), how to be a responsible ESP, and many other topics.   Although MAAWG is largely run by ISPs, its mission is to also bring together both email senders as well as email receivers in a collaborative environment where both sides can attempt to work out best practice solutions so that senders can achieve better deliverability rates at the large mailbox providers, a constant struggle for ESPs.

If you are a messaging vendor or provider (and this includes both email filtering vendors as well as email senders) or an ISP, you are doing yourself a disservice by not becoming a member of an organization like MAAWG where ideas, practices and upcoming threats are shared that it is very likely you will not hear anywhere else. 

This has been an unpaid advertisement :)

Before I close, I'd be remiss if I didn't bring up something security related in this post.  So, I am standing in the security line at Denver International Airport about to go through the metal detector when the guy who was working behind the conveyor belt asks me and the woman behind me the standard "Any liquids, gels, or aerosols in your bag?" before our bags went into the X-Ray machine.  I just look at him and say "No", but the woman behind me responds with "Not that I know of."  Apparently this set off the ire of the TSA worker who immediately responded with "Not that you know of?!  Don't you know what is packed in your bags, ma'am?"  I'd never seen a TSA worker move so fast, but her bags were immediately yanked off of the conveyor, she was pulled out of line, and then was escorted by 2 TSA workers to wherever they take you likely to inspect every minute crevice of her bag. 

For all of the flack that the TSA gets for either bad procedures or lack of attention to detail, you would think that as a traveler it is also our responsibility to know the basic responses to the simple questions security officers may ask you.  The questions are neither tricky nor confusing.  I guess this woman had to learn the hard way...

I wonder if the folks over at Google got the message that service providers had finally had enough of dealing with the backscatter that was coming out of their mail servers because it has also significantly dropped off since we first started talking about it back in April.  Backscatter (bounce messages attempting to be delivered to users that do not exist) rates from Google were over 50% on some days.  This means that over 50% of the total mail that we were receiving from Google were these invalid bounces.  The backscatter rate has dropped now to about 2% of the total mail from Google.  That is still higher than what most would call acceptable, but when you are comparing over 500k messages per day to about 10-15k, I would say that is a significant improvement no matter how you slice it.

Unfortunately, though the problem has shifted from backscatter to 419 phishing scams.  A 419 phishing scam is the advance fee fraud type of scam where for a small amount of money you can be promised to receive much more in return.  419 scams are also typically called Nigerian Scams.  The term 419 comes from the Nigerian Criminal Code that deals with fraud.

Although still about 25% of the email that we get from Google's network is spam, the traffic has shifted from about 50% backscatter to about 50% phishing, in particular from IP addresses that start with 72.14.204, 72.14.214, and 72.14.246.  

This is certainly not intended to single out Google either as they are not the only free webmail provider that we see enormous amounts of spam from.  We see plenty from Yahoo and Hotmail as well.  Google is the main provider on everyone's radar right now because of the quickly changing nature of attacks against their system and the rapidly changing view across many different industries of the viability of using Google as their business mail host.  More and more legitimate businesses are having trouble sending email from their hosted GMail accounts to service providers because Google's mail servers are ending up on block lists with increasing regularity, a trend that is only gaining momentum amongst industry insiders.

Since February we have made several mentions of Google Spam and its migration from benign redirects to Canadian Pharmacy sites to malware distribution fake Osama bin Laden videos.  We also saw a Storm Worm campaign which alleged to be a video codec that used this same technique. 

Since February Google spam had accounted for anywhere between 1-5% of total spam volume, but over the past couple of weeks has all but completely disappeared.

Where did it go?

It seems to have migrated over to Microsoft's Live SkyDrive service.  If you are not familiar with SkyDrive, it is a document hosting service being launched by Microsoft, similar to Google Docs. 
Here is the basic premise on how this tactic works:

-- Email is received with a link to a document hosted on the SkyDrive service with some sort of social engineering lure as bait.  The format of the URL is http://hostname.bay.livefilestore.com/..$very_long_hash_value…/$filename.html (where the hash is some calculated value and $file.html is the name of the hosted file)

-- User clicks the link to file hosted on SkyDrive, which in this case is an HTML file that contains a JavaScript redirect to a pharmacy website

-- Redirected web site is displayed in the user's browser and any background code executed which could include the drive-by injection of malware just as we saw with Google Spam.

The HTML file being hosted on SkyDrive is a simple, one line script :

<html><script language=JavaScript>window.location.replace("hxxp://songkhlong.com")</script></html>

Currently, SkyDrive Spam is accounting for a little over 1% of the total spam that we are seeing in our Threat Operations Center which means that it is currently as prevalent as both phishing and gambling spam.  I don't believe that we have seen the last of Google spam, but focus definitely appears to have moved toward Microsoft for the time being.

As a side note, McAfee originally reported seeing large influxes of SkyDrive Spam back in January so SkyDrive spam isn't a new tactic, however it has dramatically increased in prevalence since the dropoff of Google Spam about 2 weeks ago.

*** UPDATE 6/5/2008 4:50pm MDT *** - It appears that Google Docs is also being targeted by this tactic.  I just came across the below message (note the link at the bottom) from one of our spamtraps which hit our system yesterday (the hosted doc appears to have been taken offline by the time of this update):

Hi fellow

Is the Rising Cost of Prescrlption Drugsare cause of concern?

The rising cost of Prescrlption drugs may be costing you your health.
In particular, living on a fixedincome.

You can cut your Medicalbilling.

Simple Way to Cut Your Prescrlption Costs optfor Generic.

Genericpharmacy: A Cheaper Effective Alternative

Forget about huge spendings You can save upto 8O%

Hugesaving because the solutions is directly from manufacturer.

hxxp://docs.google.com/View?docid=3Dddsz3hdh_0wwwmrbm3