« Love Hurts Even More | Main | An Unnerving Password Reset Email »

July 03, 2008

As night follows day, the Storm guys are doing their thing for the U.S. Independence Day holiday, July 4th:

Subject: Celebrations have already begun

The email message is a simple sentence, such as "Happy Fourth of July" followed by a numeric IP address. The destination page is the same format as the phony Beijing earthquake malware lure:

Content is a false video player image, which is a link to download fireworks.exe, a malware load that VirusTotal shows identification by 15 of 33 antivirus systems. But the page also includes the same hidden iframe element and ind.php program described in Love Hurts Even More. Check the scripting analysis document linked from that post to learn more about this multiple-exploit drive-by attack.

Don't let this M-80 explode inside your PC.

UPDATE (4 July 2008): Just saw this subject line variant: "Stars and Strips forever." Ooh, so close. Sounds more like an ad for a Las Vegas adult revue.

UPDATE (6 July 2008): On July 5, the same email messages continued to arrive, but with links to domain names rather than numeric IP addresses. The domain names I've seen have the word fireworks embedded somewhere within.