Late For Christmas, Early For New Year!

If the Storm Worm Gang left their Christmas present to all new computer users, and all exiting computer users, to the last minute, they have certainly not left their New Year gifts to suffer the same fate. In fact they couldn't even wait for Christmas day to be over before they started their next campaign.

Yet again this shows the folly of publishing your end of year reports before the end of the year, as they won't include the Storm Worm runs we've so far seen during the last two weeks and anything that may happen in the last 4-5 days until the year really does end!

So, what have the Storm Worm Gang unleashed this time? They have decided to use the old favourite of 'fake e-card notifications'.

Here's a screenshot of what just one of the first wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the first wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



However, it seems that the Storm Worm Gang weren't content with just one round of New Year wishes, and on Boxing Day [26th December], they unleashed a new version,

Wave 2:

Here's a screenshot of what just one of the second wave of New Year based emails look like:



As with the first wave version, the body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the second wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



However, it seems that they still weren't happy with two rounds of New Year wishes, and today [76th December], they unleashed another new version,

Wave 3:

Here's a screenshot of what just one of the third wave of New Year based emails look like:



As with the first and second wave version, the body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the third wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in these cases [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link and running the file.

Just to make it crystal clear, the files offered on these sites will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

I suspect we will see more waves of New Year attacks, but by then I suspect that the website used will contain graphics [as seen in the Christmas version], and possibly exploit code too. They may also shift to a new social-engineering attack, such as using news items once more, bringing their techniques full circle to where they began on the 19th of January 2007.

At the time of publishing this entry detection was still very patchy, with many of the top anti-virus products not detecting the malware laden files as infected, you have been warned.

I would like to wish you all a very happy but safe New Year...