Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Latest Storm Worm - Ecards Now Uses Html And Fake Urls


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:06:42 AM

Posted 24 August 2007 - 09:18 AM

Latest Storm Worm - eCards now uses HTML and fake URLs

The ever-changing Storm Worm (a.k.a., Nuwar, Zheltain) has been revamped from plain text to HTML. This conversion process allowed the malicious authors to hide the dangerous numeric IP addresses and make it appear as a legitimate e-card site. The latest versions of most browsers (e.g., IE 7, Firefox 2, Opera 9, etc) allow users to "hover over" a URL and see the true address found in links (just be never to click without verfication).

The best practice is to avoid these messages completely, as hostile scripts could be embedded in future iterations of these massively spammed attacks. Clicking on the URL could automatically download and install some of the worst malware circulating in-the-wild. It is very difficult to detect and clean. Folks can save hours of aggrevation and possible damage to their systems by being careful and thinking before they click. Finally, all users should keep their Anti-virus protection as up-to-date as possible to avoid these daily changing attacks.

‘Fun World’? Not Really–Part 2
http://www.avertlabs.com/research/blog/ind...-really-part-2/

Today Nuwar/Zhelatin spammed out several thousand mails, which are very similar to those we saw yesterday. Although the spam template did not change at all, the format of the mail changed. It changed to HTML instead of plain text, but it does not contain any active content such as JavaScript or ActiveX. Compared with the last spam wave, the IP address is no longer visible. Users might have learned not to click on http://xx.xx.xx.xx/ IP addresses in spam mails, and now they need to get educated again.



Video - Storm Site
http://www.f-secure.com/weblog/archives/ar...7.html#00001257

The Zhelatin/Storm Gang has been very busy lately. Their spamming tactics have changed from sending an attachment to sending a link that directs recipients to an IP Address. The HTML used by their sites is variable, and also differs depending on the browser.





EMAIL SAMPLES (with malicious content removed)

To: Harry 
Subject: Someone sent you an Ecard 
From: (REMOVED) 
Date: Thu, 23 Aug 2007 23:22:53 -0400 

(REMOVED) wants to send you a greeting from greet2k.com. 

To get your message, click on this link: 
greet2k.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) 

Greetings, 
greet2k.com


To: Harry 
Subject: You have an E-Card from...? 
From: 
Date: Thu, 23 Aug 2007 14:11:32 -0700 

Your Brother wants to send you a greeting from mycardmaker.com. 

If you would like to read this greeting, follow this link: 
mycardmaker.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) 

Greetings, 
mycardmaker.com


To: Harry 
Subject: A Digital Card from someone who cares. 
From: (REMOVED) 
Date: Thu, 23 Aug 2007 16:16:58 -0500 

(REMOVED) is delivering you an Ecard from buzzle.com. 

To view your card, follow this link: 
buzzle.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) 

Greetings, 
buzzle.com


To: Harry 
Subject: This is a Card for you. 
From: (REMOVED) 

Your Neighbour asked us to send you this card from dgreetings.com. 

To Enjoy your Ecard, follow this link: 
dgreetings.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) 

Sincerly, 
dgreetings.com


==================================

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users