Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Storm Botnet Celebrates Birthday With Fireworks SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Storm Botnet Celebrates Birthday With Fireworks

I read about MX Logic's  prediction this morning ( that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure.  This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started.

There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe.

Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here:  I'm sure that the list will continue to grow.  I'd recommend that you play it safe by blocking all attemtps to download fireworks.exe at your perimeter (your environment may vary, but I can't see any business justification for any executables named fireworks to be downloaded by my users-- I know "Kevin is no fun.")

Kevin Liston

292 Posts
ISC Handler
Jul 4th 2008
“…If your security policies and incident response procedures are having difficulty with this kind of event…”

Well put, Kevin. I wish that * I * could be so succinct before my morning doses of caffeine!

In fact, the well-documented Storm activity is the specific example I cite when discussing ISC with others.

An organization such as my employer requires me to be more reactive than proactive, so the awareness is less of an EICAR test, more of a change to get a jump on the activity before the flood starts. Each little bit helps. What Johannes/The Boys/The Girls at ISC do is truly an invaluable service to limited, one-man IS shops like mine.

Now, if you’ll pardon me, I need to locate my next 2-litre bottle of wake-up juice…

Sign Up for Free or Log In to start participating in the conversation!