Anticipated Storm-Bot Attack Begins

Published: 2007-12-24
Last Updated: 2007-12-24 19:37:24 UTC
by Kevin Liston (Version: 4)
0 comment(s)

Overview and Blocking Information

Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a Christmas-themed stripshow directing victims to

The message comes in with a number of subjects:


Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

Updated subjects:
“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”

The body is something similar to:


do you have a min?

This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-)



[the domain was interrupted for your protection]

Thanks Kevin for the initial report.

I recommend that you apply blocks on that domain ( for both outbound HTTP requests and incoming emails.

Under The Hood

The domain appears to be registered through and hosted on a fast-flux network of at least 1000 nodes.  Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control.

Russ has a nice and tidy analysis available at:
and Jose Nazario has a nice one at


Speaking of Blogspot

If you google for you'll see a number of spam blogs set up with that domain in their body and directing traffic to (take a look for that in your proxy logs while you're at it.)

Visiting will redirect you over to and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.

Kevin Liston (kliston -at-

0 comment(s)


Diary Archives