New Storm Campaign and Domains

August 4th, 2008 — bjou

Now I am not a tracker of storm campaigns nor binaries, I am just a casual binary analyst, but today while running a storm gateway for research purposes, I found some new domains going along with the revisited love theme and its postcard.exe.

worldpostcardart.com
superlettercard.com
yourlettercard.com
freepostcardonline.com
digitalaudiopostcard.com
lettercardadvertising.com
bestlettercard.com
audiopostcardmail.com
supergreetingcard.com
oldpostcardshop.com

While all the above domains have been created on August, 2nd, the following domain offers the Nameservers and has been created on July, 28th

brprbgok6.com

Diging these domains returns one IP with a TTL of 60 seconds, indicating Fast-Flux. I have not investigated earlier campaigns, but I wondered why only one IP was returned; typically for Fast-Flux, there is a whole bunch of short-lived IPs returned for one domain name.

The campaign’s website is kept simple:
Your download will start shortly. If you are unable to see your postcard, save it in and run on your computer.

The Binaries’ AntiVir Detection Rate is 19/36 (52.78%)

As I am the first to blog this and as I am currently not running a Storm Spambot, I guess we need to wait for Jeremy to fire up his automated extraction scripts for more insight on the respective spam messages

Update Aug 6th: Today I found more information on the spam messages at the Trend Micro Blog: http://blog.trendmicro.com/storm-uses-old-bait/.
Took them some time though…

Posted in Geek Talk, IT-Security. 3,180 Comments »

Anne Says:
August 5th, 2008 at 8:58 am

I’m glad I found this blog. I got one of these e-cards today and they told me to go to superlettercardDOTcom to see it.

I was suspicious, because my neighbours don’t send me e-cards. So, no harm done.

Erwin Says:
August 5th, 2008 at 12:56 pm

Today I received a harmless looking email with the message that my flatmate has sent me an e-card through “audiopostcardmail.com”.

Since I don’t live in a flat, that made me wonder…. Using Google, I stumbeled on this site.

Interesting…..

Brenda Says:
August 5th, 2008 at 1:48 pm

WOW – I am really super glad I got that “whoa, wait a minute feeling”. All I need was to do something to my husband’s computer, My brother was in a serious motorcycle accident with his wife yesterday, then my husband’s bike was stolen right out of our back yard in broad daylight just minutes after he parked it yesterday afternoon. Nothing like adding a messed up computer to that mess. Thanks for informing. Your really saved us.

Jenny in Ned Says:
August 5th, 2008 at 4:58 pm

Oh dear, I clicked on supergreetingcard.com already. What can we do at this point?

Bea Says:
August 5th, 2008 at 10:59 pm

Hi, I have a question. I just got an email about a card from yourlettercard.com, but I can’t find the site. The email is a few days old so it might be gone already. I have an important friend who does communicate by cards, and because of his family’s religious objections to mine – does usually put them down under something anonymous. So what is going on? Are they all bad? All viruses? Did they take the site down? I can get to only about a half of the previous part of this conversation, and I’m trying to fill in the blanks. I really need to get to this card if it is genuine – then again I have been having one of the worst weeks of my life – I do not want to add ruining my computer to everything else that has happenned. Thanks, SO what is the head’s up on this situation?

Chuck B Says:
August 6th, 2008 at 2:45 am

Return-Path:
Received: from noehlo.host ([127.0.0.1])
by pickering.mail.mindspring.net (EarthLink SMTP Server) with SMTP id 1kq1cZ4T43Nl3p20; Mon, 4 Aug 2008 10:38:49 -0400 (EDT)
Received: from xxejsf ([92.67.214.89])
by pickering.mail.mindspring.net (EarthLink SMTP Server) with SMTP id 1kq1cY5c13Nl3p20
for ; Mon, 4 Aug 2008 10:38:48 -0400 (EDT)
Received: from pzsh ([75.215.65.167]) by xxejsf with Microsoft SMTPSVC(6.0.3790.0); Mon, 4 Aug 2008 15:38:49 +0200
Message-ID:
From:
To:
Subject: You Have An Ecard
Date: Mon, 4 Aug 2008 15:38:49 +0200
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”windows-1252″;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=4; sbrc=+0; sbf=bb; sbw=000; sbr=+

Somebody made you this card from OldPostcardShop.com.

If you would like to see your Card, click on the following link.

http://OldPostcardShop.com/?539e3b14a79bb24c4d

bjou Says:
August 6th, 2008 at 8:37 am

All the domains mentioned above are definatly bad! So DO NOT visit them. If you already did you might be lucky if you did not download the postcard.exe and executed it or if you have a patched and up-to-date system browser. Download a virus scanner if you did (free-av.de) and check your system.

Dale Says:
August 7th, 2008 at 11:10 pm

HI I have downloaded the postcard and cant delete it off my computer. What should I do????

Liza Says:
April 24th, 2009 at 11:02 am

I can tell that this is not the first time at all that you write about this topic. Why have you chosen it again?

Jane Says:
April 18th, 2010 at 12:19 pm

balanced round robin template
bobed haircuts
calculating windage adjustment fo a bullet
bright red blood in toddler stool
best price marlin 336w south florida
army oer support form examples
caprice83 bolt pattern
1 2 tsp equals how many ounces
22lr auto rifle forum
1985 yamaha 60cc
best loved easter passages
20 lined poems for kids
2 firme gangsta layouts
bbvacompass com creditonline
belly button hernia in puppies
amc lowes 16 danbury ct
carson pierre scott co locations in illinois
artist monica hairstyles
acr rifle for sale
beckett burner classes