DISOG

Storm - Fourth of July run

2008-07-04T05:10:00.006+01:00

Stormworm (aka CME711/Peed/Peacomm), has recently modified their spam run to play on US Independence Day - July 4th. The site offers fireworks.exe, and forces a binary download using some malicious javascript. Users should be cautioned to watch for pages that look similar to this: Instead of the typical "you need to download the codec to play this video", the storm authors have decided to

BackTrack 3 Final - Released

2008-06-20T04:02:00.004+01:00

Remote Exploit has just released the final version of BackTrack 3 - the screwdriver of the penetration testers toolbox. I am a big fan of BackTrack. From the site: Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a

Fake Porntube site -> r.html -> video.exe

2008-06-20T00:56:00.011+01:00

I recently received an email: Delivered-To: (REDACTED) Received: by 10.114.197.7 with SMTP id u7cs66501waf; Thu, 19 Jun 2008 07:06:35 -0700 (PDT) Received: by 10.210.46.12 with SMTP id t12mr1910940ebt.23.1213884394448; Thu, 19 Jun 2008 07:06:34 -0700 (PDT) Return-Path: Received: from ?88.251.149.76? ([88.251.202.216]) Thu, 19 Jun 2008 07:06:34 -0700 (PDT) client-ip=88.251.202.216; (

CME711's latest SE Spam

2008-06-19T01:47:00.005+01:00

The Stormworm operators have recently updated their spam and web content. The webpage (capture to the right) is shown in its entirety. Users are then given the opportunity to download and run a malicious file, beijing.exe. For the last couple months the Storm domains have been less fastfluxy - they change every 60 seconds instead of with every request. Perhaps this is because they simply are

Penetration testing and site security

2008-05-16T04:17:00.005+01:00

Greetings everyone! While botnet research is fun and rewarding, it doesn't always pay the mortgage. Those who pay well don't enjoy having research aired in public - hence the lack of postings lately. I figured some regular readers might be interested in what I've been up to. At the same time, I hope to create a good set of notes for an educational presentation I hope to give in a few months.

CME711 - April Fools

2008-04-01T02:26:00.010+01:00

I'm a bit late posting this one - I've been working on some penetration testing projects and have been unable to monitor my honeypots. For those who have not yet noticed: (image captured by DISOG staff on 2008/03/31) 5 second refresh downloads funny.exe, image click downloads kickme.exe and click here link is foolsday.exe - all of which are the same file. The email: From: sauna@

Excellent ISC diary entry

2008-03-10T12:15:00.003Z

I really enjoyed reading a recent ISC diary entry by Maarten Van Horenbeeck. Its very important for malware researchers and forensics folks to expand their focus when dealing with intrusion incidents, regardless of if the attacker is white hat or black hat. The attacker knows you are watching, and they will try to hide in plain sight. This entry involves trickery on multiple fronts. If you don't

CME711 - Its a howl!

2008-03-03T04:49:00.006Z

Storm/CME711 is back to a 'funny greeting card' page. (Note the "copyright error" in the image) The file postcard.exe is offered by clicking on the image. The file ecard.exe is offered when waiting 5 seconds. The file e-card.exe is offered when clicking the 'click here' link. Many people already watch for *card.exe with their IDS. I don't expect this to last long. Perhaps the next will be

RFI's and Phishing Tricks

2008-02-29T15:48:00.006Z

Our Honeypots have been hit with a rash of RFI's lately - we count over 1600 attempts from Feb 20-Feb 29. Some of the higher numbered attempts are listed below. (71) http://www[dot]gumgangfarm[dot]com/shop/data/id[dot]txt (53) http://www[dot]geocities[dot]com/giwel/file/id[dot]txt (48) http://www[dot]tuttoscemo[dot]com/administrator/components/com_juser/id[dot]txt (44) http://www[dot]

Welcome to my homepage - CME711's latest run.

2008-02-23T03:30:00.005Z

While checking my Stormworm/CME711/Peed/Peacomm/Zhelatin honeypot I noticed a recent page in German - which was roughly translated to English using an online translation utility: Patrick homepage Hello everyone! Welcome to my home page Short about me: I have thought a lot, and now decided that normal relations with the woman I am with is not acceptable. I am gay. My new life has changed a lot

Botnet Distributed Command and Control. (DC&C)

2008-02-03T05:57:00.000Z

Over the past four years we've seen a large number of law enforcement, ISPs, and hobbyists get involved with botnet monitoring. A side effect of the increased interest is that botnet operators will go to great lengths to keep their botnets hidden. That includes encryption, hiding in plain sight, use of undocumented/new protocols and distributed control structures. As law enforcement arrests more

Researching your own botnets

2008-02-03T05:17:00.000Z

This post is mainly for people interested in researching botnets. Many people treat botnet monitoring as a hobby. In many ways, its almost as fun as people watching. Section 1, the rules of behavior: You will likely see information you should not normally be privy to. For example, keylogged data, passwords, IP's of vulnerable systems, instant messenger conversations, etc. You must not repeat

Infiltrator Botnet Monitor

2008-01-31T02:41:00.000Z

Usually the first question asked by someone who is interested in botnet monitoring is, "What do you use to monitor botnets?" New hunters tend to watch IRC networks, then move up to HTTP, P2P, etc. Many new hunters try to use off the shelf IRC clients, until they realize the bloat really isn't worth it, and monitoring more than a dozen nets is incredibly impossible. Furthermore, monitoring custom

Pharmacy related sites - the work of CME711?

2008-01-30T03:29:00.000Z

Over the last few months there has been a large number of domains registered for what appears to be pharmacy related sites. Many of the sites are using 5 minute TTL's with multiple A records. Possibly related, Websense posted this today: http://www.websense.com/securitylabs/blog/blog.php?BlogID=170 Websense believes the spam they have seen is related to Storm/CME711. Its very likely that these

CME711: Happy Valentines Day and Halifax phish

2008-01-15T20:53:00.000Z

The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe". So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch. The website code looks the same as in previous runs, with false binaries in comments and the greeting: Your download

CME711 Domains offline.

2008-01-10T03:33:00.000Z

Steven Adair with Shadowserver is reporting that all the Stormworm domains have been marked NOT DELEGATED. Randy V also performed some checks today and found the same thing. We're keeping a close eye on our honeypot to see if they change domains or if this is simply a smoke screen. The authors were probably finished with the domains anyway, since its well passed the new year. The DISOG team is

New Year, Recycled Greeting Cards

2007-12-28T19:49:00.000Z

The storm authors have made up for their lack of creativity by registering a bunch of domains and quickly changing the filename. Additionally a false name has been added as a comment to the html source: Your download should begin shortly. If your download does not start in approximately 15 seconds,
you can