Threat Post: Storm Botnet Returns as Part of New Year Attack

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Threat Post: Storm Botnet Returns as Part of New Year Attack

Postby spamislame » Sun Jan 02, 2011 6:42 pm

https://threatpost.com/en_us/blogs/stor ... cks-010211

And of course, it's still more of the same stupid crap from these morons:

The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. The messages all contain short messages similar to this:

"Tom has created a New Year ecard.
Recommended Reads

* Siberia Exploit Kit Offers Service to Evade Anti-Malware Software
* Some Pushdo Variants Resuming Spam Operations
* Exploit Kits Employing Obfuscation to Prevent Analysis

Get News by Email!

To view this page please click here: hxxp:maliciousurlgoeshere.com

According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine.

And it's been Slashdotted:

http://it.slashdot.org/story/11/01/02/1 ... rs-Attacks

I'm certain all the usual suspects are keeping their eyes on this already.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Threat Post: Storm Botnet Returns as Part of New Year Attack

Postby AlphaCentauri » Sun Jan 02, 2011 9:07 pm

Typical Storm/Waledac zero second refresh rate on the botnet hosting:
IP address - date - time (GMT -500)
75.82.161.198 2011/01/02 20:04:47
173.218.44.160 2011/01/02 20:04:47
98.218.196.51 2011/01/02 20:04:47
98.218.196.51 2011/01/02 20:04:47
202.144.33.227 2011/01/02 20:04:48
85.204.200.123 2011/01/02 20:04:48
85.204.200.123 2011/01/02 20:04:48
202.144.33.227 2011/01/02 20:04:49
98.218.196.51 2011/01/02 20:04:49
190.99.40.235 2011/01/02 20:04:49
200.86.0.166 2011/01/02 20:04:49
82.42.196.106 2011/01/02 20:04:50
82.42.196.106 2011/01/02 20:04:50
190.99.40.235 2011/01/02 20:04:50
190.99.40.235 2011/01/02 20:04:50
178.209.121.22 2011/01/02 20:04:51
202.144.33.227 2011/01/02 20:04:51
85.204.200.123 2011/01/02 20:04:51
98.218.196.51 2011/01/02 20:04:52
190.99.40.235 2011/01/02 20:04:52
186.36.88.7 2011/01/02 20:04:52
85.204.200.123 2011/01/02 20:04:52
186.36.88.7 2011/01/02 20:04:53
178.209.121.22 2011/01/02 20:04:53
64.72.34.248 2011/01/02 20:04:53
98.218.196.51 2011/01/02 20:04:54
76.121.89.97 2011/01/02 20:04:54
202.144.33.227 2011/01/02 20:04:54
76.89.192.89 2011/01/02 20:04:54
85.204.200.123 2011/01/02 20:04:55
201.160.190.17 2011/01/02 20:04:55
85.204.200.123 2011/01/02 20:04:55
98.218.196.51 2011/01/02 20:04:55
186.36.88.7 2011/01/02 20:04:56
173.218.44.160 2011/01/02 20:04:56
173.218.44.160 2011/01/02 20:04:56
186.36.88.7 2011/01/02 20:04:56
98.218.196.51 2011/01/02 20:04:57
121.164.31.17 2011/01/02 20:04:57
190.1.30.75 2011/01/02 20:04:57
82.212.138.112 2011/01/02 20:04:57
190.99.40.235 2011/01/02 20:04:58
200.86.0.166 2011/01/02 20:04:58
213.175.81.101 2011/01/02 20:04:58
190.99.40.235 2011/01/02 20:04:58
98.218.196.51 2011/01/02 20:04:59
186.36.88.7 2011/01/02 20:04:59
121.164.31.17 2011/01/02 20:04:59
82.42.196.106 2011/01/02 20:04:59
213.175.81.101 2011/01/02 20:05:00
190.1.30.75 2011/01/02 20:05:00
190.99.40.235 2011/01/02 20:05:00
76.121.89.97 2011/01/02 20:05:00
75.82.161.198 2011/01/02 20:05:01
186.36.88.7 2011/01/02 20:05:01
121.164.31.17 2011/01/02 20:05:01
75.82.161.198 2011/01/02 20:05:01
213.175.81.101 2011/01/02 20:05:02
200.86.0.166 2011/01/02 20:05:02
76.121.89.97 2011/01/02 20:05:03
98.218.196.51 2011/01/02 20:05:03
98.218.196.51 2011/01/02 20:05:03
121.164.31.17 2011/01/02 20:05:04
85.204.200.123 2011/01/02 20:05:04
213.175.81.101 2011/01/02 20:05:04
85.204.200.123 2011/01/02 20:05:05
85.204.200.123 2011/01/02 20:05:05
201.160.190.17 2011/01/02 20:05:05
186.36.88.7 2011/01/02 20:05:06
82.42.196.106 2011/01/02 20:05:06
98.218.196.51 2011/01/02 20:05:07
201.160.190.17 2011/01/02 20:05:12
190.1.30.75 2011/01/02 20:05:13
200.86.0.166 2011/01/02 20:05:13
201.160.190.17 2011/01/02 20:05:13
190.1.30.75 2011/01/02 20:05:13
190.99.40.235 2011/01/02 20:05:14
190.99.40.235 2011/01/02 20:05:14
213.175.81.101 2011/01/02 20:05:14
190.1.30.75 2011/01/02 20:05:14
85.204.200.123 2011/01/02 20:05:15
98.218.196.51 2011/01/02 20:05:15
85.204.200.123 2011/01/02 20:05:15
121.164.31.17 2011/01/02 20:05:15
98.218.196.51 2011/01/02 20:05:16
190.1.30.75 2011/01/02 20:05:16
82.212.138.112 2011/01/02 20:05:16
190.1.30.75 2011/01/02 20:05:16
190.1.30.75 2011/01/02 20:05:17
75.82.161.198 2011/01/02 20:05:17
82.42.196.106 2011/01/02 20:05:18
75.82.161.198 2011/01/02 20:05:18
190.1.30.75 2011/01/02 20:05:18
200.86.0.166 2011/01/02 20:05:19
77.247.170.185 2011/01/02 20:05:19
76.121.89.97 2011/01/02 20:05:19
186.36.88.7 2011/01/02 20:05:19
201.160.190.17 2011/01/02 20:05:20
190.99.40.235 2011/01/02 20:05:20
202.144.33.227 2011/01/02 20:05:20
76.89.192.89 2011/01/02 20:05:21
201.160.190.17 2011/01/02 20:05:21
186.36.88.7 2011/01/02 20:05:21
82.212.138.112 2011/01/02 20:05:21
201.160.190.17 2011/01/02 20:05:22
186.36.88.7 2011/01/02 20:05:22
121.164.31.17 2011/01/02 20:05:22
77.247.170.185 2011/01/02 20:05:23
75.82.161.198 2011/01/02 20:05:23
200.86.0.166 2011/01/02 20:05:23
186.36.88.7 2011/01/02 20:05:24
85.204.200.123 2011/01/02 20:05:24
85.204.200.123 2011/01/02 20:05:24
82.42.196.106 2011/01/02 20:05:25
173.218.44.160 2011/01/02 20:05:25
75.82.161.198 2011/01/02 20:05:30
200.86.0.166 2011/01/02 20:05:30
200.86.0.166 2011/01/02 20:05:31
173.218.44.160 2011/01/02 20:05:31
121.164.31.17 2011/01/02 20:05:31
77.247.170.185 2011/01/02 20:05:32
82.42.196.106 2011/01/02 20:05:32
98.218.196.51 2011/01/02 20:05:32
82.212.138.112 2011/01/02 20:05:32
82.42.196.106 2011/01/02 20:05:33
190.1.30.75 2011/01/02 20:05:33
201.160.190.17 2011/01/02 20:05:33
64.72.34.248 2011/01/02 20:05:33
178.209.121.22 2011/01/02 20:05:34
121.164.31.17 2011/01/02 20:05:34
85.204.200.123 2011/01/02 20:05:34
85.204.200.123 2011/01/02 20:05:35
75.82.161.198 2011/01/02 20:05:35
200.86.0.166 2011/01/02 20:05:35
200.86.0.166 2011/01/02 20:05:36
82.212.138.112 2011/01/02 20:05:36
82.212.138.112 2011/01/02 20:05:36
202.144.33.227 2011/01/02 20:05:36
64.72.34.248 2011/01/02 20:05:37
85.204.200.123 2011/01/02 20:05:37
200.86.0.166 2011/01/02 20:05:37
173.218.44.160 2011/01/02 20:05:38
178.209.121.22 2011/01/02 20:05:38
75.82.161.198 2011/01/02 20:05:38
201.160.190.17 2011/01/02 20:05:39
85.204.200.123 2011/01/02 20:05:39
190.99.40.235 2011/01/02 20:05:39
190.99.40.235 2011/01/02 20:05:40
85.204.200.123 2011/01/02 20:05:40
202.144.33.227 2011/01/02 20:05:40
200.86.0.166 2011/01/02 20:05:40
82.42.196.106 2011/01/02 20:05:41
201.160.190.17 2011/01/02 20:05:41
173.218.44.160 2011/01/02 20:05:41
76.89.192.89 2011/01/02 20:05:42
82.42.196.106 2011/01/02 20:05:42
75.82.161.198 2011/01/02 20:05:42
98.218.196.51 2011/01/02 20:05:43
186.36.88.7 2011/01/02 20:05:43
82.212.138.112 2011/01/02 20:05:43
201.160.190.17 2011/01/02 20:05:43
82.42.196.106 2011/01/02 20:05:44
64.72.34.248 2011/01/02 20:05:44
202.144.33.227 2011/01/02 20:05:44
202.144.33.227 2011/01/02 20:05:44
178.209.121.22 2011/01/02 20:05:45
201.160.190.17 2011/01/02 20:05:45
82.42.196.106 2011/01/02 20:05:45
201.160.190.17 2011/01/02 20:05:45
64.72.34.248 2011/01/02 20:05:46
173.218.44.160 2011/01/02 20:05:46
202.144.33.227 2011/01/02 20:05:46
201.160.190.17 2011/01/02 20:05:46
85.204.200.123 2011/01/02 20:05:47
173.218.44.160 2011/01/02 20:05:47
98.218.196.51 2011/01/02 20:05:47
82.42.196.106 2011/01/02 20:05:47
85.204.200.123 2011/01/02 20:05:48
82.212.138.112 2011/01/02 20:05:48
64.72.34.248 2011/01/02 20:05:48
98.218.196.51 2011/01/02 20:05:48
186.36.88.7 2011/01/02 20:05:49
173.218.44.160 2011/01/02 20:05:49
77.247.170.185 2011/01/02 20:05:50
190.1.30.75 2011/01/02 20:05:50
85.204.200.123 2011/01/02 20:05:50
82.42.196.106 2011/01/02 20:05:50
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Threat Post: Storm Botnet Returns as Part of New Year Attack

Postby AlphaCentauri » Sun Jan 02, 2011 9:18 pm

only 9/43 AV products recognize the download as malware, and those that do mostly call it "Kazy." However, I had trouble with the download stopping halfway, so it could be corrupted.
Antivirus Result
AhnLab-V3 Trojan/Win32.FakeAV
AntiVir -
Antiy-AVL -
Avast -
Avast5 -
AVG -
BitDefender Gen:Variant.Kazy.6955
CAT-QuickHeal -
ClamAV -
Command -
Comodo -
DrWeb -
Emsisoft -
eSafe -
eTrust-Vet Win32/Kelihos.A!generic
F-Prot -
F-Secure Gen:Variant.Kazy.6955
Fortinet -
GData Gen:Variant.Kazy.6955
Ikarus -
Jiangmin -
K7AntiVirus -
Kaspersky Trojan-Downloader.Win32.FraudLoad.hjq
McAfee -
McAfee-GW-Edition -
Microsoft -
NOD32 -
Norman -
nProtect Gen:Variant.Kazy.6955
Panda Suspicious file
PCTools -
Prevx -
Rising -
Sophos -
SUPERAntiSpyware -
Symantec -
TheHacker -
TrendMicro -
TrendMicro-HouseCall -
VBA32 -
VIPRE FraudTool.Win32.SecurityShield.ek!a (v)
ViRobot -
VirusBuster -


Add: Avira has analyzed the sample and replied:
The file 'install_flash_player.exe.txt' has been determined to be 'MALWARE'. Our analysts named the threat TR/Dldr.FraudLoad.hjq.4. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.00.251.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Threat Post: Storm Botnet Returns as Part of New Year Attack

Postby Red Dwarf » Mon Jan 03, 2011 2:54 am

More IPs
Code: Select all
AS      | IP               | CC | AS Name

11426   | 96.10.183.50     | US | SCRR-11426 - Road Runner HoldCo LLC
12392   | 82.212.138.112   | BE | ASBRUTELE AS Object for Brutele SC
13188   | 178.151.143.249  | UA | BANKINFORM-AS Ukraine
15802   | 91.75.33.160     | AE | DU-AS1 Emirates Integrated Telecommunications Company PJSC (EITC-DU)
17803   | 124.125.27.46    | IN | BSES-AS-AP BSES TeleCom Limited
19108   | 173.218.44.160   | US | SUDDENLINK-COMMUNICATIONS - Suddenlink Communications
20001   | 75.82.161.198    | US | ROADRUNNER-WEST - Road Runner HoldCo LLC
20001   | 76.89.192.89     | US | ROADRUNNER-WEST - Road Runner HoldCo LLC
20807   | 77.247.170.185   | RU | CREDOLINK-ASN Credolink ISP Autonomous System
  209     | 64.72.34.248     | US | ASN-QWEST - Qwest Communications Company, LLC
22047   | 200.86.0.166     | CL | VTR BANDA ANCHA S.A.
27773   | 190.99.40.235    | GT | MILLICOM CABLE EL SALVADOR S.A. DE C.V.
27833   | 190.1.30.75      | AR | BVNET S.A.
28554   | 201.160.190.17   | MX | Cablemas Telecomunicaciones, S.A. de C.V.
31102   | 89.36.215.170    | EU | AT-AS TV Adler-Trading SRL
31255   | 95.155.66.4      | PL | MULTIPLAYPOLSKA-AS Multiplay Polska Sp. z o.o.
33650   | 76.121.89.97     | US | COMCAST-33650 - Comcast Cable Communications, Inc.
33657   | 98.218.196.51    | US | CMCS - Comcast Cable Communications, Inc.
39349   | 84.38.91.84      | PL | TVKDIANA-AS Diana Telewizja Kablowa J.Seidler, M.Betleja, W.Wolcz Spolka Ja
39802   | 85.204.200.123   | EU | WIRED-AS Wired Networks SRL
41070   | 94.198.218.217   | RU | ARTEM-CATV-AS JSC Artemovskoye Interaktivnoe Televidenie
41719   | 213.175.81.101   | LV | LAINNET-AS Lain Net
47659   | 178.209.121.22   | RU | INTERTEL-AS InterTelecom Ltd
47659   | 92.39.138.102    | RU | INTERTEL-AS InterTelecom Ltd
 4766    | 121.141.11.220   | KR | KIXS-AS-KR Korea Telecom
 4766    | 121.164.31.17    | KR | KIXS-AS-KR Korea Telecom
 4780    | 123.194.3.59     | TW | SEEDNET Digital United Inc.
 5089    | 82.13.16.215     | GB | NTL NTL Group Limited
 5089    | 82.42.196.106    | GB | NTL NTL Group Limited
 6535    | 186.36.88.7      | CL | Telmex Servicios Empresariales S.A.
  812     | 99.249.31.15     | CA | ROGERS-CABLE - Rogers Cable Communications Inc.
 9116    | 84.229.254.88    | IL | GOLDENLINES-ASN 012 Smile Communications Main Autonomous System
 9206    | 217.9.93.87      | RU | MAI Moscow Aviation Institute (MAI)
 9583    | 202.144.33.227   | IN | SIFY-AS-IN Sify Limited
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Threat Post: Storm Botnet Returns as Part of New Year Attack

Postby kpatz » Mon Jan 03, 2011 9:25 am

I was able to pull a sample of the malware which I submitted to UploadMalware.com. My sample is 485,888 bytes in size and has a MD5 of c5e254bf2af9bcf4ed6dd5a5cce3861b.

It's lame, pathetic, and retarded (like everything spammers do), but people are still stupid enough to fall for it. Especially those who don't remember the same thing happening 4 years ago.
kpatz
Getting started
 
Posts: 15
Joined: Sun Oct 03, 2010 8:48 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron