Computer Forensics Research
Search
Bugs in the System

A Stormy New Year

Christmas and New Year Malware Threats from the Storm Worm

The newest round of Storm Propagation emails has come out, and its again, largely undetected malware. Email messages pertaining to the New Year are being used to spread the virus, which adds victim machines to the largest botnet of all time.

The main URLs we are seeing at this point are:

uhavepostcard.com
happycards2008.com

There are more than 100 samples using these two URLs so far. The first was received December 24th at 12:10 PM. The most recent was received just moments ago.

"New Years" Subjects include:


A fresh new Year
A fresh new year...
As you embrace another new year
Blasting new year
Happy 2008 To You!
Happy 2008!
Happy New Year To (emailhere)
Happy New Year To You!
Happy New Year!
It's the new Year
Joyous new year
Lots of greetings on new year
Message for new year
New Hope and New Beginnings...
New Year Ecard
New Year Postcard
New Year wishes for you
Opportunities for the new year
Wishes for the new year
A scan of the current malware on VirusTotal just now showed a 37.5% detection rate. This means that almost two-thirds of common anti-virus products were not able to detect this as a virus!

Among the more common anti-virus products, F-Prot, Kaspersky, McAfee, and Sophos did not detect this virus, while Microsoft and Symantec did. The virus on the criminal's websites is being changed regularly, so there are no guarantees that even the ones currently detecting the virus will still do so tomorrow or even later today!

A Christmas version of the Storm Propagation email may still be lurking in in-boxes as employees return from their holiday vacations. The Christmas version primarily used the malware domain:

merrychristmasdude.com

and used these subject lines. Visiting those sites now actually downloads the same "happy-2008.exe" malware as the New Year propagation uses, since these are in reality the same infected computers acting as the web hosts.

"Christmas" subject lines were:


Christmas Email
Cold Winter Nights
Feel the Holiday Spirit
Find Some Christmas Tail
Ho Ho Ho.s
How.s It Goin
I love this Carol!
Jingle Bells, Jingle Bells
Looking for something hot this Christmas
Merry Christmas From your Secret Santa
Merry Christmas To All
Mrs. Clause
Mrs. Clause Is Out Tonight!
Santa Said, HO HO HO
Seasons Greetings
The Perfect Christmas
The Twelve Girls of Christmas
Time for a little Christmas Cheer.
Warm Up this Christmas
Your Secret Santa
The domain names for all of these are set up in a "round robin". For instance, I use "nslookup" to query "merrychristmasdude.com" ten times in a row and get the following list of IP replies:


66.78.160.196 - Jackson, Tennessee
24.126.208.180 - Los Angeles, California
86.125.107.157 - Bucharest, Romania
70.249.186.39 - Little Rock, Arkansas
79.172.83.168 - Moscow, Russia
91.142.197.135 - Warsaw, Poland
62.43.161.233 - Valencia, Spain
78.60.109.65 - Vilnius, Lithuania
91.122.89.214 - St. Petersburg, Russia
75.58.60.145 - Plano, Texas
These are just a random pull of ten IP addresses from a pool that we have documented contains AT LEAST two hundred and fifty hacked computers which are acting as webservers to spread this virus and join other computers to the botnet. There may be thousands more. Merry Christmas and Happy New Year, CyberCrime Fighters . . .
2008 - New Year, Same Ole CyberCrime

_-_
gary warner
http://www.cis.uab.edu/forensics/

Contact Information

Office: Campbell Hall Room 100
Telephone:205.934.8620
E-Mail: gar (at) cis.uab.edu
Mailing Addressr:
    115 Campbell Hall 1300 University Blvd Birmingham, AL 35294-1170