Date: 18 September 2007
Click here for printable version
Within the last two weeks we have seen the Storm change email hooks several times. They have been trying out a variety of approaches to convince uesrs to click on the link, including privacy fears, US events such as "Labor Day" and the beginning of the NFL (Gridiron) Season, and most recently offering "free games".
As before, visiting the link in these emails leads to malicious web pages where the Storm malware is installed on the user's computer either automatically by exploiting web browser vulnerabilities or else manually by convincing the user to install software.
Free games
Starting around September 16 and still current, we have been seeing those "free game" hooks. Again, they have gone to the trouble of providing a good website which F-Secure have been kind enough to get another screen shot of. See the screen shot here:
http://www.f-secure.com/weblog/archives/archive-092007.html#00001277
Some examples of subject lines are:
Free games!
Free online games
GAMES! GAMES!
Get 1000 games for free
Get free games
Stop paying for games
Thousands of hours of fun, for free
Wow, cool games!
Wow, free games!
1000 free games!
1000+ Free Games!
Play all your favorite games for free
New free game software has over 1000 games
Example email one:
--- BEGIN EMAIL EXAMPLE ---
From:
To:
Cc:
Date: Sun, 16 Sep 2007 15:17:57 +1000
Subject: Wow, free games!
All the free games you could ever want...go here hxxp://24.x.x.x/
--- END EMAIL EXAMPLE ---
Example email two:
--- BEGIN EMAIL EXAMPLE ---
From:
To:
Cc:
Date: Mon, 17 Sep 2007 13:40:20 +1000
Subject: Get 1000 games for free
One Thousand games Online.......Free. Check it out hxxp://75.x.x.x/
--- END EMAIL EXAMPLE ---
Football season
Over the period of September 9-13th, they started pushing Football Trackers. They actually did up a really nice website. You can see a screen shot here at the F-Secure website:
http://www.f-secure.com/weblog/archives/archive-092007.html#00001273
Interestingly, while using this lure, they tried out using either direct botnet IP addresses
or a domain name in the malicious URLs.
Example subject lines include:
Are you ready for football season?
Are you ready for some football?
Do you have your NFL Game List?
Yee Haw! Football tonight!
The game is on tonight, are you gonna watch it?
FOOTBALL! Are You ready?
Football Fan Essentials
Football Season Is Here!
Free NFL Game Tracker
NFL Game List
NFL Season Is Here!
Get Your Free NFL Game Tracker
Example Email one:
--- BEGIN EMAIL EXAMPLE ---
From:
To: auscert@auscert.org.au
Cc:
Date: Wed, 12 Sep 2007 22:58:40 +1000
Subject: Free NFL Game Tracker
NFL Football is BACK!
Get all the information you need for every game.
Never be in the dark again with this online game tracker:
hxxp://69.x.x.x/
--- END EMAIL EXAMPLE ---
Example Email two:
--- BEGIN EMAIL EXAMPLE ---
From:
To:
Cc:
Date: Thu, 13 Sep 2007 16:42:22 -0700
Subject: The game is on tonight, are you gonna watch it?
Know every player and every stat, with this years Real-time NFL Tracker.
hxxp://freeNFLtracker,com/
--- END EMAIL EXAMPLE ---
fake privacy warnings
Over the period September 7-10th, we saw the following example subject lines:
Your Privacy is being violated
Your privacy is no longer safe
Big brother is watching you.
An example of the email is:
--- BEGIN EMAIL EXAMPLE ---
From:
To:
Cc:
Date: Thu, 6 Sep 2007 21:29:58 +0530
Subject: Your privacy is no longer safe
If you download music of other files, you're being tracked. The RIAA is
after everyone they can find. This software erases the trail that leads
them to you. Use our free program and keep your self and the internet
free and safe: hxxp://67.x.x.x/
--- END EMAIL EXAMPLE ---
US Labor day
Over the period September 4-6th, we saw emails with hooks that coincide with the US Labour Day on the first Monday in September which occurred on the 3rd this year. Some example subject lines include:
Your Friend Sends A Labor Day Greeting
The Big Labor Day Weekend
Happy Labor Day
A Labor Day E-Card
A Labor Day Greeting
Following is an example of what the user would see in the email, except the URL has been obfuscated. The link actually points to another site which was similar to hxxp://80.x.x.x/. The user would not see this unless they had chosen to display the email in plain text instead of the default HTML format.
--- BEGIN EMAIL EXAMPLE ---
From:
To:
Cc:
Date: Tue, 4 Sep 2007 17:13:00 +0400
Subject: A Labor Day E-Card
Click here to pick up your greeting card:
hxxp://ecards,com /funcard/laborday?1c0prc5aiaastlxr0b4o
--- END EMAIL EXAMPLE ---
|