Storm Botnet Returns with Fireworks

http://isc.sans.org/diary.html?storyid=4669

Here is one with a pretty picture (mouseover shows the URL):


____________________________________________________________

I took a random sampling of four people (I know nothing of their computing background)
and asked if they knew what the file extension of a video is.

None knew.

I asked if .exe sounded correct? Two said yes, two weren't sure.

I brought a neighbor into my studio and showed her this site and said it could have come as an email.
When she clicked to start the video, the download box appeared. She said she would have OKed the download
to watch the fireworks video.


____________________________________________________________

Is it any wonder Storm has such a high number of victims?


----

 

Interesting, Rmus. Thanks for the info. Even just seeing the poor grammar in the caption below the video ought to be enough to trigger suspicion in those thinking about opening it.

 

Thanks for the info Rmus.

I submitted the file to VT and only 18/33 detected it. When I went to the site, Antivir flagged it. I finally set Sandboxie's config to only allow specific programs to run and I couldn't get the file to run while sandboxed.

This really drives home the point of not solely relying on an AV and blacklist scanners. It also helps me understand more about my setup and how it works. I also have my first sample safely tucked away.

 

I got fireworks in my spam folder
another sample safely stored

There's a lot of people who shouldn't be allowed to use computers. How are we supposed to teach people not to click on executables when they don't even know the most common executable extension?

 

When I was helping people with their setups, my first lesson was, "Understanding File Extensions and File Associations."
Ask someone, "How does the computer know to start Notepad when you click on a *.txt file?"

But even more basic in this case, it seems to me, is,

Avoid opening/downloading files from unsolicited emails.

The fact that the Storm Botnet junk is a highly successfull user-clicks-to-open exploit,
rather than a remote code execution (drive-by) exploit, says much, unfortunately,
about the state of many users' basic knowledge.

 

I wish everyone could do this.

Unfortunately, it's not always practical for a user to test malware.

 

I have Returnil to thank for the experience. And your right, it isn't practical for everyone to play around with malware. I shouldn't have, but I was able to learn something. There is nothing like testing your defenses with real malware.

I was surprised by the number of pop-ups that I would have had to click allow on to get it to run. I'm also in the habit of scanning everything I download with my AV and 2 on-demand scanners. 2 of the 3 scanners did alert to the malware. I guess that's not too bad.

 

From http://blogs.zdnet.com/security/?p=1440#more-1440:

 

Storm's success also flies in the face of a (supposedly) decline in email attacks.

Web Attacks on the Rise; E-mail Attacks Decline
http://esj.com/news/article.aspx?EditorialsID=3129