A Stormy Independence Day...

It seems that the so-called 'Storm Worm Gang' are back and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a 4th of July [American Independence Day] firework show. This latest wave started early this morning:

The subjects of the e-mails I've seen so far include:

America the Beautiful
Celebrating the spirit of our Country
Time for Fireworks
Well done 4th!
Light up the sky
The best firework you've ever seen
Long Live America
Celebrating the Glory of our Nation
American Independence Day

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Amazing Independence Day show
Stars and Strips forever
Well done 4th!
Celebrate the spirit of America
Happy Independence Day
Home of the Brave
Spectacular fireworks show
Long Live America
Amazing Independence Day salute

Here's a screenshot of one of the emails that I've received this morning:



Here's a screenshot of another one of the emails that I've received this morning [Can you spot the difference ;-)]:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



And here is the source of the web page currently in use:



The more eagle-eyed of you may have noticed that the code includes an IFRAME which loads a PHP file called 'ind.php; this is what part of the page source code looks like for that file:



You may notice that this uses an obfuscated JavaScript routine, the end result, if you have JavaScript enabled in your web browser and your anti-malware doesn't detect this malcode, is that a dropper will be written to your hard disk. This is effectively a 'drive-by-download' as you don't have to click on anything on the webpage to download the file hidden in the JavaScript in 'ind.php'. The lower part of the code has been digitally munged by myself, as you don't need to see all of it.

At the time of posting this blog entry the detection of the offered 'fireworks.exe' file was still not complete, with only 20 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different, not in size but the MD5 hash is not the same. I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today.

For those of you celebrating this particular holiday, I would like to wish you a very happy day and enjoy the real fireworks rather than the fake ones being offered in the latest Storm Worm run.

Oh by the way, I forgot to mention that this isn't the first time that fireworks have been used to get people to infect their own computers, anyone remember 'Happy99.exe' (also-known-as 'Ska')?