Deja Vu: Valentine's Storm

Published: 2008-01-16
Last Updated: 2008-01-16 10:26:18 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

Yesterday we started receiving another wave of Storm e-mails, this time exploiting our love: you got it, Storm started exploiting Valentine’s Day. It looked like they missed the ball for Christmas but now they are certainly back.

The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address (in other words, it should be easy to detect this with anti-spam tools).

Once a user visits the web site he is served with a nice web page (see below) and a link to download an executable – same as with previous versions.

Valentine Storm

So is there anything new about this variant of Storm? Not really. The social engineering attack is the same as before. Actually, there are a lot of similarities with Storm’s Valentine’s attack last year (2007). The subjects are almost the same and the only difference is that last year Storm sent itself as an attachment.

Storm’s packing/obfuscation techniques are still up to the task – when I downloaded the first variant only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works.

Following the pattern we can probably expect Super Bowl being exploited soon as well.



2 comment(s)


Snort sigs available, and will be updated as the urls update:
I would like to know what are the best practices when blocking (mail|IP) addresses after receiving such storm emails.

Diary Archives