New Storm Campaign and DomainsAugust 4th, 2008 — bjou
Now I am not a tracker of storm campaigns nor binaries, I am just a casual binary analyst, but today while running a storm gateway for research purposes, I found some new domains going along with the revisited love theme and its postcard.exe.
While all the above domains have been created on August, 2nd, the following domain offers the Nameservers and has been created on July, 28th
Diging these domains returns one IP with a TTL of 60 seconds, indicating Fast-Flux. I have not investigated earlier campaigns, but I wondered why only one IP was returned; typically for Fast-Flux, there is a whole bunch of short-lived IPs returned for one domain name.
The campaign’s website is kept simple:
Your download will start shortly. If you are unable to see your postcard, save it in and run on your computer.
The Binaries’ AntiVir Detection Rate is 19/36 (52.78%)
As I am the first to blog this and as I am currently not running a Storm Spambot, I guess we need to wait for Jeremy to fire up his automated extraction scripts for more insight on the respective spam messages
Update Aug 6th: Today I found more information on the spam messages at the Trend Micro Blog: http://blog.trendmicro.com/storm-uses-old-bait/.
Took them some time though…