Forgot your password?
typodupeerror
Botnet IT

Storm Botnet Returns As Part of New Year's Attacks 66

Posted by samzenpus
from the starting-off-with-a-bang dept.
Trailrunner7 writes "A new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics — in combination with fast-flux — to attempt to compromise unsuspecting users. The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine."
This discussion has been archived. No new comments can be posted.

Storm Botnet Returns As Part of New Year's Attacks

Comments Filter:
  • by makubesu (1910402) on Sunday January 02, 2011 @06:06PM (#34739784)

    the victim's machine

    So it installs flash?

  • One year per infected computer. HARD LABOR, not some wimpy country club prison. Assuming it can proved that there was malicious intent.
  • I can, be it barely, see how some computer users unsuspectingly bought one with Windows pre-installed but how unsuspecting are the companies that did this installation on all of their products?
    • by Anonymous Coward
      Nice troll. You can't blame "those windoze flaws" for users clicking on, elevating to admin, and installing malicious software. This could happen the same way on any OS that allows any form of elevation (Mac, Ubuntu, etc.). This is just users in need of education (which they will never get) and is one of the reasons that some folks SHOULD be subject to "trusted computing" (even though it pains me to say that as I absolutely hate the idea).
  • Old? (Score:5, Insightful)

    by girlintraining (1395911) on Sunday January 02, 2011 @06:38PM (#34739934)

    ...one of the older and more threadbare techniques in this particular game.

    Criminals don't care how old it is, but rather how successful it is. Please try to remember that, people. Technology doesn't have to be new or complicated to be useful, and deriding it because it is older is telling of a lack of experience with the thing. Spam will continue to be effective because it only costs a few dollars to register a domain, a little bit less to setup a distribution point, and once you have a few compromised hosts, it pays for itself -- and then some.

    • by pyrosine (1787666)
      True, but when you consider it uses a fake flash installer rather than a browser specific bug which can install the trojan/virus without their knowledge, it is shown to be rather basic. Not only that, but if there was an actual ecard, the number of reported instances would be less (so those that know they have the newest version of flash wouldnt be alarmed), so their program is less likely to end up detectable, at least for a while.
      • (so those that know they have the newest version of flash wouldnt be alarmed)

        So, make the next one a bit smarter... re-use original flash detection script, and only attempt to download the malware if the flash player is not actually the very latest version (also consider minor versions, to keep your target audience as big as possible). The download would be a wrapper around the real latest flash player, so that users won't get suspicious if they view the e-card twice.

        As an added bonus, the malware could rummage through the user's cached browser passwords, and check whether any of t

  • Bunny (Score:3, Funny)

    by Anonymous Coward on Sunday January 02, 2011 @07:17PM (#34740082)

    From: Joe User (sksj3838lsk@reallywarmmail.com)
    To: You
    Subject: Bunny
    Attachment: bunnyhop.exe

    Hey check out this cool bunny, it hops around the screen and follows your mouse pointer, it sometimes hides behind windows! Just double-click on the attachement.

    Bye!
    Joe

    • by Anonymous Coward

      Hey Joe,

      Thats would be awesome, but I am not able to locate the attachment, can you please send it again?

      -- John

    • From: Joe User (sksj3838lsk@reallywarmmail.com) To: You Subject: Bunny Attachment: bunnyhop.exe

      Hey check out this cool bunny, it hops around the screen and follows your mouse pointer, it sometimes hides behind windows! Just double-click on the attachement.

      Bye! Joe

      Which email provider allows you to send executable attachments?

      I've attached a free e-book explaining the weak points in your marketing campaign, and why anti-virus scanners are no substitute for knowledge, you sound like a smart individual - and I'd really appreciate your thoughts on my book, if you'd take the time to fill out the attached Word.doc and return it to me I'll send you $50US.

      Thanks for your time.

      • by monkyyy (1901940)

        please dont get into the spam bis my parents may fall for that .__.

      • by bmo (77928)

        Which email provider allows you to send executable attachments?

        Plenty. What makes you think it's difficult to send executable attachments?

        --
        BMO

        • Which email provider allows you to send executable attachments?

          Plenty. What makes you think it's difficult to send executable attachments?

          Um, you didn't actually answer my question.... and yes I was serious, the rest of my post wasn't.

          I would like to be able to send executable files as email attachments. Gmail won't let me though.

          I often have to send largish files to non-techie clients with tiny size limits on their Outlook accounts - breaking up the files is easy, getting them to install WinRAR or similar, *and* getting them to re-assemble the multi-part archives is a pain. Much easier if I could just make it a self-extracting archive (they'

          • by bmo (77928)

            "So the question is - *which* email providers allow the sending of executable files?"

            Are you *still* serious about asking this question? Really? Ok. See below.

            "But, as I said Gmail blocks executables."

            No it doesn't. I'll say that again, GOOGLE DOES NOT BLOCK EXECUTABLES.

            Rename the executable with .removethis at the end or some such. Like this: foobar.exe becomes foobar.exe.removethis. Done. Accepted. No need to pack in a RAR or Zip. How do I know this? Because I just did it to prove it.

            Gmail is th

            • that is a rant

              Supercilious rant indeed - I clearly demonstrated what I meant by executable, just as you ignored that to demonstrate that you are a dick.

              Extension pretension - that's no more relevant than separating the first dozen bytes and re-joining them after downloading. What a wanker! All that to try and rescue your script-kiddie click on my executable attachment bullshit. If the system won't execute it - it ain't executable, changing the extension or changing the magic number means - duh - changing it. Meh

  • one of the older and more threadbare techniques

    If it works, expect them to use it.

    • by jamesh (87723)

      Funny isn't it... no amount of security updates in the world will make people stop for a minute and think about what they are doing.

  • by jamesh (87723) on Sunday January 02, 2011 @07:49PM (#34740192)

    This is something i've been thinking about for years. I want to do a mass mailout to all employees at all our clients (with the managers permission of course) in almost exactly the same way as this virus does, except instead of actually installing malicious software it keeps track of how many people click the link, and of those, how many then proceed to download the software. Far easier to send each manager a report of "x of your employees would now be infected if this was a real virus" (i'd probably not put individual employees names on there) than to fix the damage caused by viruses.

    Time to get coding I guess...

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      You should also get your resume current except for the last bit of coding you're doing.

    • by SheeEttin (899897)
      Use a link tracking service. I believe http://bit.ly/ [bit.ly] does this.
  • It's more like an invitation to attack yourself.

    MAYBE I feel sorry for the elderly or disabled who for whatever reason want an e-card from an unspecified friend, but why wouldn't they ask themselves why a FRIEND would send you a link to a site that requires you to install something to see a dumb-ass picture. My 76 yr old tech-disabled mother wouldn't buy into that crap.

    • by PNutts (199112)

      It's more like an invitation to attack yourself.

      MAYBE I feel sorry for the elderly or disabled who for whatever reason want an e-card from an unspecified friend, but why wouldn't they ask themselves why a FRIEND would send you a link to a site that requires you to install something to see a dumb-ass picture. My 76 yr old tech-disabled mother wouldn't buy into that crap.

      Have you checked how many toolbars she has? My mom's record is five. I offer that the definition of "tech-disabled" *is* buying into that crap.

    • by Haedrian (1676506)

      Tons of people would fall for this.

      I mean, how many non-technical people do you know who even know what a Flash Plugin is? Hell, 10 years ago - with everyone tossing their own plugins to let you see videos - it wouldn't have been a longshot to need a new plugin to do X.

      You go to this site, find out that to see this card (which you're expected to be animated) - needs a flash update of sorts, and you helpfully click the link. Tons of people would fall for that.

  • Ok, maybe its not fair. Maybe it is, but the truth is that the email clients and the web browsers are installing this crap on peoples machines. Without the programs to go out and make the tcpip connections, that shit would stay on their compromised boxes. Since the current click-to-proceed systems are currently -not- working, the ante should be upped and make it impossible to use these client programs to hurt the boxes they reside on.
    I am talking about making it -impossible- to save a file that can ru

    • by Haedrian (1676506)

      If you can't download without the anti-virus, how do you download the antivirus?

      Do we really want to give a process huge control over what your system can or can not do? Its not the browser's fault. Its the user's fault. *NIX has a 'runnable' bit - which prevents programs with that bit set to 0 from running. Its still the user who flicks it on. Does this protect against social attacks like this one? Nope. Neither would "THIS PROGRAM WANTS YOU TO INSTALL" - because you're expecting that.

      You can't blame the b

    • Great idea.

      So someone like me, who doesn't run antivirus, because I've never been infected, ever, in over 20 years, can never actually download anything, because the antivirus software that's not on my machine is the only program allowed to download anything?

      Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
      Browsers are for surfing the Internet.

      Why should you move functionality from where it makes sense, to where it doesn't? From there, it's ju

      • Great idea.

        I agree, so does my Security Gateway. [astaro.com]

        Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.

        1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
        2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit? How can you ever be 100% sure that your infected system really is disinfected without scanning from another untainted OS and/or machine? Once you're infected, it's wipe & re-image time...

        P.S. Modern bot-nets run silently -- You cou

        • Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.

          1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
          2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit?

          It's not. But nowhere in my post did I say it's for removing viruses that have already infected the machine it's running on.

          It's for removing viruses from email, removing viruses from network traffic, removing viruses from USB drives, etc,etc. For crappy viruses, it can also remove them from the currently running system. However, you're right; root-kitted machines cannot generally be cleaned by A/V running in the infected environment.

          However, this is all semantic bullshit, and largely irrelevant to my or

  • And until it remains so, this is going to be going on constantly.

"Look! There! Evil!.. pure and simple, total evil from the Eighth Dimension!" -- Buckaroo Banzai

Working...