Storm Botnet Returns with Fireworks

Discussion in 'malware problems & news' started by Rmus, Jul 3, 2008.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    http://isc.sans.org/diary.html?storyid=4669

    Here is one with a pretty picture (mouseover shows the URL):

    fireworks-1.gif
    ____________________________________________________________

    I took a random sampling of four people (I know nothing of their computing background)
    and asked if they knew what the file extension of a video is.

    None knew.

    I asked if .exe sounded correct? Two said yes, two weren't sure.

    I brought a neighbor into my studio and showed her this site and said it could have come as an email.
    When she clicked to start the video, the download box appeared. She said she would have OKed the download
    to watch the fireworks video.

    fireworks-2.gif
    ____________________________________________________________

    Is it any wonder Storm has such a high number of victims?


    ----
     
  2. wat0114

    wat0114 Guest

    Interesting, Rmus. Thanks for the info. Even just seeing the poor grammar in the caption below the video ought to be enough to trigger suspicion in those thinking about opening it.
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks for the info Rmus.

    I submitted the file to VT and only 18/33 detected it. When I went to the site, Antivir flagged it. I finally set Sandboxie's config to only allow specific programs to run and I couldn't get the file to run while sandboxed.

    This really drives home the point of not solely relying on an AV and blacklist scanners. It also helps me understand more about my setup and how it works. I also have my first sample safely tucked away.
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I got fireworks in my spam folder :rolleyes:
    another sample safely stored :D

    There's a lot of people who shouldn't be allowed to use computers. How are we supposed to teach people not to click on executables when they don't even know the most common executable extension?
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    When I was helping people with their setups, my first lesson was, "Understanding File Extensions and File Associations."
    Ask someone, "How does the computer know to start Notepad when you click on a *.txt file?"

    But even more basic in this case, it seems to me, is,

    Avoid opening/downloading files from unsolicited emails.

    The fact that the Storm Botnet junk is a highly successfull user-clicks-to-open exploit,
    rather than a remote code execution (drive-by) exploit, says much, unfortunately,
    about the state of many users' basic knowledge.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I wish everyone could do this.

    Unfortunately, it's not always practical for a user to test malware.
     
  7. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I have Returnil to thank for the experience. And your right, it isn't practical for everyone to play around with malware. I shouldn't have, but I was able to learn something. There is nothing like testing your defenses with real malware.

    I was surprised by the number of pop-ups that I would have had to click allow on to get it to run. I'm also in the habit of scanning everything I download with my AV and 2 on-demand scanners. 2 of the 3 scanners did alert to the malware. I guess that's not too bad.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://blogs.zdnet.com/security/?p=1440#more-1440:

     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Storm's success also flies in the face of a (supposedly) decline in email attacks.

    Web Attacks on the Rise; E-mail Attacks Decline
    http://esj.com/news/article.aspx?EditorialsID=3129
     
Loading...
Thread Status:
Not open for further replies.