Tuesday, December 25, 2007

Storm Worm bot-herders use scantily clad women in Santa attire to recruit zombies!

Here is a warning from Dancho Danchev about a site that might leave your computer with a worm.

The site invites a person to watch a bunch of scantily clad women in Santa attire for "free."

From the Mindstreams of Information blog:

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

In case you are less than technically astute (a lot of us are) the storm worm has been around for awhile. Wikipedia offers a good explanation of how it will trash a Windows system, here.

Downloading it normally leads to your computer becoming a spam spewing zombie controlled by a bot-herder. Of course, becoming infected also poses certain information theft risks, also.

Full post from Dancho, here.

(Screen shot courtesy of the Mindstreams of Information blog)


Found some more information on this on the SANS Internet Storm Center, which can be seen, here.

And apparently some splogs have been set up on blogspot to support this current storm on the Internet:

If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)

Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.
IT also appears that the hackers behind this are moving on to New Years lures and a new domain.

Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.

Also reported SANS Internet Report Center, here.

No comments: