CME711's latest SE Spam

The Stormworm operators have recently updated their spam and web content. The webpage (capture to the right) is shown in its entirety. Users are then given the opportunity to download and run a malicious file, beijing.exe.

For the last couple months the Storm domains have been less fastfluxy - they change every 60 seconds instead of with every request. Perhaps this is because they simply are too small, or perhaps its because too many people are hitting the DNS servers, causing a Denial of Service attack.

Regardless, we've spotted the following domains in use:

biztech-co.cn, ratedhot.cn, fconnorlaw.cn, pacoast.cn, cadeaux-avenue.cn, likenewvideos.com, tellicolakerealty.cn, activeware.cn, grupogaleria.cn and polkerdesign.cn.


Please update your IDS accordingly.

Quick Storm Update

We're seeing an increase in storm spam, one spam drop has received over 200 messages in the last 24 hours.

Most are targeted, and many look like they are trying to pass themselves off as casual messages, not just greeting cards.

All the storm infected systems we've visited recently are serving up the new Microsoft Data Access page. If you see this page please close your the browser immediately!

We've updated our stats, click on the links in previous posts for the updated lists of over 18000 unique MD5's, 11,000 unique IPs, 486 name servers, and 418 open resolvers.

The tushove.com domain has been suspended, but 12 others still remain.

Google to the world: Botnets will pwn the internet

CNet News is reporting that botnets pose a danger to the Internet. -- All FUD aside, my research does agree with this statement:

With new levels of sophistication this has reached a real milestone," Sunner added. "Botnets are getting smaller, more stealthy and more discreet and yet the volumes of spam are going up.

More botnet operators are splitting up their networks as a protection method. We call this "Distributed C&C's", or DC&Cs. The reasons for doing this are two fold,

First its harder to find C&C's with only a thousand drones, than it is to find C&C's with 100,000 drones; and secondly, law enforcement tends to focus on networks with more drones. The bad guys obviously understand this and have figured out a very unique way to respond to the increase interest in botnet operator arrests.

Botnet intelligence teams like DISOG encourage gathering intelligence on botnet operators, not just the networks they are running.

Botnet statistics teams ...aka census bureaus... produce interesting numbers, but they tend to increase the publics fear over these nets while providing little or no education for the end users.

Until law enforcement accepts that the botnet operator is the danger, not the net they run; operators will continue to have us under their thumb.

Botnet research teams should move from statistical analysis of the botnets and focus on creating education materials that can be used by law enforcement, public agencies and private security firms.

Lets face it, we all know botnets exist, but frankly, due to the distributed structure of the new nets, some of these numbers are misleading. Are there really 1500 botnet operators operating nets right now, or 150 operators running 10 C&C's each?