Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Latest Storm Worm - Fake Downloads For Privacy Software


  • Please log in to reply
4 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:08:02 AM

Posted 07 September 2007 - 10:08 AM

Latest Storm Worm - Fake downloads for privacy software

The latest variant has been massively spammed and I'm personally received copies. It is designed to trick folks into thinking they are downloading TOR or other free privacy software (i.e., packages designed to communicate anonymously over the Internet). However, clicking on the malicious website link will have the opposite effect as infected PCs will give up privacy and start participating in a huge 1.7M botnet.

F-Secure: sTORm Worm
http://www.f-secure.com/weblog/archives/ar...7.html#00001272

A new round of storm worm attacks are playing on people's paranoia against being watched online. This time the lure leads users to a "TOR download" page, which is… surprise, surprise… fake.


Trend - Nuwar poses as TOR Proxy
http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/

Trend: Nuwar.AQL Information
http://www.trendmicro.com/vinfo/virusencyc...AQL&VSect=P

EMAIL EXAMPLE:

From: (REMOVED)
To: Harry
Subject: Your Privacy is being violated
Date:	Thu, 6 Sep 2007 16:31:45 +0200

Whenever you are downloading things, they are watching you. RIAA is going after everyone they can. They can't trace you if you use our new software. This software is made available free, so we can keep the internet free and private: (MALICIOUS URL REMOVED)


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 10 September 2007 - 09:04 AM

Today we started seeing new Storm mails and the web pages changed layouts completely. Now the theme is National Football League (NFL)...

f-secure.com/weblog
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:08:02 AM

Posted 10 September 2007 - 10:25 AM

^ Thanks QM ... copy of blog post below ...

New Storm Worm - Are you ready for some football?

The Nuwar gang is innovative in social engineering and technological attacks. They are empowered by a botnet that's at least 1.7 million PCs strong -- that can instantly spam millions of copies as unique trojan horse attacks.

Folks need to stay vigilant and not allow their curiosity to get the best of them, e.g., avoid clicking on all untrusted URLs in email and keep AV protection updated. This well done attack is out there and a sample is shown below. It could indeed trick some football fans out there:

New Storm Worm - Are you ready for some football?
http://isc.sans.org/diary.html?n&storyid=3361
http://www.disog.org/2007/09/storm-domains...-resolving.html

EXAMPLE OF EMAIL TO AVOID

From: (REMOVED)
To: HARRY
Subject: NFL Game List
Date: Sat, 8 Sep 2007 18:38:35 -0700

Time for some serious games, Football!
Don't miss a thing because you didn't know, this season.
Go see out Game data and Stats Page: MALICIOUS URL REMOVED



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 17 September 2007 - 10:00 AM

The latest tactic from Storm Worm: e-mails with links to a fake gaming site...All the links from these pages point to ArcadeWorld.exe – detected by us now as Zhelatin.JP.

f-secure.com/weblog
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 24 September 2007 - 06:38 AM

There are a high number of reports for Trojan-Downloader.Win32.Banload.DRS today...This time the bad guys have once again returned to the attachment name of card.exe...

The subject lines are recycled as well:

Hot pictures
Hot game
Here is it
You ask me about this game, Here is it
Something hot


f-secure.com/weblog
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users