AusCERT - Storm malicious emails - lures continuing to change

Storm malicious emails - lures continuing to change

Date: 18 September 2007
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8094

Within the last two weeks we have seen the Storm change email hooks several times. They have been trying out a variety of approaches to convince uesrs to click on the link, including privacy fears, US events such as "Labor Day" and the beginning of the NFL (Gridiron) Season, and most recently offering "free games".

As before, visiting the link in these emails leads to malicious web pages where the Storm malware is installed on the user's computer either automatically by exploiting web browser vulnerabilities or else manually by convincing the user to install software.

Free games

Starting around September 16 and still current, we have been seeing those "free game" hooks. Again, they have gone to the trouble of providing a good website which F-Secure have been kind enough to get another screen shot of. See the screen shot here:

http://www.f-secure.com/weblog/archives/archive-092007.html#00001277

Some examples of subject lines are:

	Free games!

	Free online games

	GAMES! GAMES!

	Get 1000 games for free

	Get free games

	Stop paying for games

	Thousands of hours of fun, for free

	Wow, cool games!

	Wow, free games!

	1000 free games!

	1000+ Free Games!

	Play all your favorite games for free

	New free game software has over 1000 games

Example email one:

    --- BEGIN EMAIL EXAMPLE ---

    From:    

    To:      

    Cc:      

    Date:    Sun, 16 Sep 2007 15:17:57 +1000

    Subject: Wow, free games!

    All the free games you could ever want...go here hxxp://24.x.x.x/

    --- END EMAIL EXAMPLE ---

Example email two:

    --- BEGIN EMAIL EXAMPLE ---

    From:    

    To:      

    Cc:      

    Date:    Mon, 17 Sep 2007 13:40:20 +1000

    Subject: Get 1000 games for free

    One Thousand games Online.......Free. Check it out hxxp://75.x.x.x/

    --- END EMAIL EXAMPLE ---

Football season

Over the period of September 9-13th, they started pushing Football Trackers. They actually did up a really nice website. You can see a screen shot here at the F-Secure website:

http://www.f-secure.com/weblog/archives/archive-092007.html#00001273

Interestingly, while using this lure, they tried out using either direct botnet IP addresses
or a domain name in the malicious URLs.

Example subject lines include:

	Are you ready for football season?

	Are you ready for some football?

	Do you have your NFL Game List?

	Yee Haw! Football tonight!

	The game is on tonight, are you gonna watch it?

	FOOTBALL! Are You ready?

	Football Fan Essentials

	Football Season Is Here!

	Free NFL Game Tracker

	NFL Game List

	NFL Season Is Here!

	Get Your Free NFL Game Tracker

Example Email one:

    --- BEGIN EMAIL EXAMPLE ---

    From:    

    To:      auscert@auscert.org.au

    Cc:      

    Date:    Wed, 12 Sep 2007 22:58:40 +1000

    Subject: Free NFL Game Tracker

    NFL Football is BACK!

    Get all the information you need for every game.

    Never be in the dark again with this online game tracker:

    hxxp://69.x.x.x/

    --- END EMAIL EXAMPLE ---

Example Email two:

    --- BEGIN EMAIL EXAMPLE ---

    From:    

    To:      

    Cc:      

    Date:    Thu, 13 Sep 2007 16:42:22 -0700

    Subject: The game is on tonight, are you gonna watch it?

    Know every player and every stat, with this years Real-time NFL Tracker.

    hxxp://freeNFLtracker,com/

    --- END EMAIL EXAMPLE ---

fake privacy warnings

Over the period September 7-10th, we saw the following example subject lines:

    Your Privacy is being violated

    Your privacy is no longer safe

    Big brother is watching you.

An example of the email is:

    --- BEGIN EMAIL EXAMPLE ---

    From:    

    To:      

    Cc:      

    Date:    Thu, 6 Sep 2007 21:29:58 +0530

    Subject: Your privacy is no longer safe

    If you download music of other files, you're being tracked. The RIAA is

    after everyone they can find. This software erases the trail that leads

    them to you. Use our free program and keep your self and the internet

    free and safe: hxxp://67.x.x.x/

    --- END EMAIL EXAMPLE ---

US Labor day

Over the period September 4-6th, we saw emails with hooks that coincide with the US Labour Day on the first Monday in September which occurred on the 3rd this year. Some example subject lines include:

	Your Friend Sends A Labor Day Greeting

	The Big Labor Day Weekend

	Happy Labor Day

	A Labor Day E-Card

	A Labor Day Greeting

Following is an example of what the user would see in the email, except the URL has been obfuscated. The link actually points to another site which was similar to hxxp://80.x.x.x/. The user would not see this unless they had chosen to display the email in plain text instead of the default HTML format.

    --- BEGIN EMAIL EXAMPLE ---

    From:    

    To:      

    Cc:      

    Date:    Tue, 4 Sep 2007 17:13:00 +0400

    Subject: A Labor Day E-Card

    Click here to pick up your greeting card: 

     hxxp://ecards,com /funcard/laborday?1c0prc5aiaastlxr0b4o

    --- END EMAIL EXAMPLE ---