Storm Botnet Returns as Part of New Year's Attacks

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:35:25


Storm botnetA new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics–in combination with fast-flux–to attempt to compromise unsuspecting users.

The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. The messages all contain short messages similar to this:

“Tom has created a New Year ecard.

To view this page please click here:

This message will be stored for 14 days.”

According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim’s machine.

The domains being used in the attack comprise about a dozen compromised sites right now, and they’re all sending users to a list of IP addresses that is changing by the second, Shadowserver said.The botnet is using fast flux to change the destination IP address of the redirect constantly, making it more difficult for researchers and authorities to track its activity.

“If you visit one of the HTML files hosted on a compromised website, its source will look something like this:

    <meta http-equiv='refresh' content='0;url=hxxp://' />

This will redirect you to one of the new
malicious domains being used by the botnet. These are fast flux domains
that will frequently return a new IP address each time they are

$ dig A +noall +answer 0 IN A

As you can see the A record has a TTL of 0,
which essentially instructs name servers not to cache the result.
Continually resolving the hostname will return several new IP addresses,
just like previously seen with Storm Worm and Waledac,” the group said in its analysis of the new attack by Storm.

Researchers at Websense also have been tracking the new campaign and they found that in some rare cases, the pages to which the user is redirected are using obfuscated JavaScript and exploits to try to install the malicious file on the victim’s machine.

Storm is one of the more notorious and well-documented botnets and malware campaigns in the last few years. It’s mostly fallen by the wayside of late, but it has popped up as part of spam campaigns and other malware attacks from time to time.