Storm Worm's Independence Day campaign

Storm Worm's Independence Day campaign

Summary: A Storm Worm's Independence Day campaign is circulating online using email as propagation vector, attempting to trick users into visiting a Storm Worm infected host, where a multitude of what looks like over five different exploits attempt to automatically infect the visitors next to the malware binary fireworks.exe.

SHARE:
10

A Storm Worm's Independence Day campaign is circulating online using email as propagation vector, attempting to trickStorm Worm Independence Day users into visiting a Storm Worm infected host, where a multitude of what looks like over five different exploits attempt to automatically infect the visitors next to the malware binary fireworks.exe. Historically, Storm Worm is constantly changing its tactics, and the use of live exploit URLs is back in their arsenal for the last last couple of campaigns. Therefore, visiting a Storm Worm infected IP sent to your email would launch multiple exploits against your third-party software. Here's a sample message used in the latest campaign :

"Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it."

Storm Worm is a case study on successful social engineering attacks based on the timing, combination of tactics, and their persistence. In this particular campaign, they rely on the fact that a lot of users would be clicking on their exploit serving links from their homes, and that being away from the at least theoretically better hardened corporate network, would result in more infections.  Storm is among the many other botnets currently active online, which when partitioned and access to them resold to different parties, make it harder to keep track of its size, since the wannabe botnet masters introduce new malware on the Storm Worm infected hosts, using them as foundation for creating their own unique botnet.

Moreover, the stereotype of zero day vulnerabilities as the critical success factor for a malware campaign, was orignally broken by the time Storm Worm took the leading position as the largest botnet online for a certain period of time, without exploiting a single zero day vulnerability but relying on the fact that unpatched vulnerabilities are just as effective as zero day vulnerabilities when you diversity the exploits set well enough.

In times when client-side vulnerabilities are driving the success rates of malware campaigns, unpatched software or third-party software is just as vulnerable as unpatched software or third-party software that's getting exploited with a zero day vulnerability. So consider self-auditing yourself by ensuring you're not running unpatched third-party software, and stay away from spam and phishing emails enticing you to visit a particular URL in general, since both are starting to converge with malware.

Topic: Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • please put in jail the owner of these sites!

    please put in jail the owners of these sites:
    dayfireworkssite.com
    thefireworksjuly.com
    wholefireworksonline.com
    yourfireworks.com
    yourfireworksstore.com
    qmlscycrajg
    • if it were only that easy :/

      One can wish
      longzoo
      • Re: if it were only that easy :/

        Even if it happens, since every campaigns leaks out more details about them, would it matter?

        http://bp0.blogger.com/_wICHhTiQmrA/SE0A0cN0CWI/AAAAAAAABxw/LCj9C8hC88c/s1600-h/got_one.gif
        ddanchev
    • Re: please put in jail the owner of these sites!

      The owner of these sites are the hundreds of thousands of already infected end users, who "rotate ownership" every three minutes. Fast-flux is about risk forwarding next to the dynamic hosting infrastructure.
      ddanchev
    • RE: please put in jail the owner of these sites!

      Jail is too good for them.

      [b]May I suggest a firing squad instead!!!![/b]
      fatman65535
  • "wannabe botnet masters"... Grow up, Dancho.

    Putting down those whom are part of the subject of your post makes you look like a myspace kid. And yes, the irony is demonstrative.
    falnar69
    • Re: "wannabe botnet masters"... Grow up, Dancho.

      Dude, you have absolutely no idea what's going on in general, perhaps it's for the best.
      ddanchev
  • RE: Storm Worm's Independence Day campaign

    Firing Squad? Naw, WAY too easy on 'em. May I suggest stringing them up by their toes in a hawthorn tree, doused in honey, covered with fire ants, adjacent to a nest of rather hungry buzzards?

    Or, if that's a little over the top, just force them to be beta testers for Microsoft's latest Antiviral software....using only their toes on the keyboard.

    ;P
    gribblq
  • Self Audit from Secunia

    Anybody else use it?
    donnydo77
  • RE: Storm Worm's Independence Day campaign

    ewet dedim ama neyse
    http://www.bbgporn.com/
    http://www.hmmtube.com/
    dogru deme
    http://www.erotiktube.org/
    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam dedim
    myclub