Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Love Hurts Even More | Main | An Unnerving Password Reset Email »

July 03, 2008

July 4th. Storm. Duh. [Updated]

As night follows day, the Storm guys are doing their thing for the U.S. Independence Day holiday, July 4th:

Subject: Celebrations have already begun

The email message is a simple sentence, such as "Happy Fourth of July" followed by a numeric IP address. The destination page is the same format as the phony Beijing earthquake malware lure:

Storm worm page for 4th of July, 2008

Content is a false video player image, which is a link to download fireworks.exe, a malware load that VirusTotal shows identification by 15 of 33 antivirus systems. But the page also includes the same hidden iframe element and ind.php program described in Love Hurts Even More. Check the scripting analysis document linked from that post to learn more about this multiple-exploit drive-by attack.

Don't let this M-80 explode inside your PC.

UPDATE (4 July 2008): Just saw this subject line variant: "Stars and Strips forever." Ooh, so close. Sounds more like an ad for a Las Vegas adult revue.

UPDATE (6 July 2008): On July 5, the same email messages continued to arrive, but with links to domain names rather than numeric IP addresses. The domain names I've seen have the word fireworks embedded somewhere within.

Posted on July 03, 2008 at 04:26 PM