Storm Worm Takes (another) Holiday

The Storm Worm loves holidays. Storm Worm is a code name for a particular bot-net. A bot-net is a large group of zombified computers that are 0wned by some shadowy person without the knowledge of the people who actually have the computers. Bot-nets do a few things. What Storm Worm’s 0wners like to do is send out buckets and buckets of spam. These are not all the same kind of message, there are several, but all I want to tell you about is the postcard variants.

1. postcard.exe attachments (these insert a trojan into your computer so you can be part of the collective) it is a little like the Borg collective on Star Trek, except you as an 0wned box’s user are not informed that your computer is part of a collective.
2. messages enticing you to go to a malware-hosting site like newyearwithlove.com. These sites may or may not infect your computer with something that causes apparent trouble. They are much more interested in your not realizing you have the infection. If you don’t know you are infected, you will not be thinking about getting a cure

It is important for you to know that “real” postcard sites personalize the messages extensively. When you send an email card out to a friend, you fill out a form that has fields for your name, your email, your friend’s name and your friend’s email. Then there is somewhere to fill in the comment area. This means when your friend gets the card email, it says something like the following (presuming your name is Ima Real and your friend’s name is Bill Fescue)

Subject: Bill Fescue, your friend Ima Real (ima@aol.com) has sent you a greeting
To: BFescue@wolfhalton.info
From: Cards@Hallmark.com

Body: Bill, I really enjoyed having coffee with you on Wednesday at the Caribou. I am glad to be your friend.

Your friend

Ima

[editor's note: If you want your real ecards to be opened by your smart friends, be personal and real.]

To collect your greeting, go to Hallmark.com/098327437987

[editor's note: when you mouse over this link, the link will be substantively identical to the visible link text]

Personal emails with cards in them are never, ever addressed to nobody or a crowd or emails in the To: field and you don’t click on links in emails from people you don’t know, anyway.

The only sensible way to combat bot-nets is to educate people on what is authentic and what is not. The new year holiday has brought tons of emails that look like this:

————

From: budsakorn@haltomcitytx.com To: wolf@spam-collection.com Subject: Happy New Year To wolf@spam-collection.com! Date: Sat, 29 Dec 2007 17:20:10 +0200 (10:20 EST) Mailer: Microsoft Outlook Express 6.00.2800.1106

Blasting New 2008 Year
http://newyearwithlove.com/

————-

and this

————-

From: ryocom@msc.naples.navy.mil To: webmaster@spam-collection.org Subject: It’s the New Year 2008 Date: Sat, 29 Dec 2007 21:36:29 +0900 (07:36 EST) Mailer: Microsoft Outlook Express 6.00.2900.2180

New 2008 Year Ecard
http://newyearwithlove.com/

——————

From: hallmark.com <E-Cards@hallmark.com> [mailto:%22hallmark.com%22%20%3cE-Cards@hallmark.com%3e] To: wolf@spam-collection.com Subject: You’ve received A Christmas Hallmark E-Card! Date: Sat, 29 Dec 2007 01:08:59 +0100 (CET) (Fri, 19:08 EST)

You have recieved A Christmas Hallmark E-Card. [note: received is misspelled]

Hello! You have recieved a Christmas Hallmark E-Card. To see it, click here,  [only bogus link on the email = http://83.18.235.2/Christmas/card.exe  You have to learn to mouse-over links] There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one. [http://www.hallmark.com/webapp/wcs/stores/servlet/category1%7C10001%7C10051%7C-102001%7C-102001%7Cecards%7CunEcardandMore%7CE-Cards?lid=unEcardandMore] Hope to see you soon, Your friends at Hallmark Your privacy is our priority. Click the “Privacy and Security” link at the bottom of this E-mail to view our policy.

Hallmark.com | Privacy & Security | Customer Service | Store Locator

—————–

These are pretty professional, especially the last one, however neither of the first 2 senders is known to the owners of my collection accounts, and none of the senders seem to really know who I am. I think these Trojan-placement emails are successful because 1. many people are lonely and bored; 2. many people are uneducated as to the signs of authenticity. When these 2 conditions coexist, there is a moment for the Trojan to be placed.

Considering that there are hundreds of thousands of these 0wned computers, there is an opportunity for all of us to realize that we are not alone in our condition of loneliness or boredom and that knowledge alone may help a few to reach out to reality a bit. Our physical friends are more confronting than people who appear out of nowhere on the internet looking to make you their long-lost buddy, but they are less likely to involve us in money-laundering schemes and stock fraud. Since this is the new year arriving, let’s make a resolution to meet and speak with one person we didn’t know before every month. Repealing the idea that “I am the only lonely and bored person in the universe” is an excellent way to combat steady take-over by the bot-masters.

Holidays always lead real people to use the simple out of sending ecards to all their friends and acquaintances, and so in the general upsweep of cards from friends, these cards from people we don’t know may be easier to miss. I foresee a rush of Valentine’s Day Storm Worm bogus cards. Get ready sweeties. That one may even be harder to resist.

Maybe next week (next year!) we will talk about greed, desperation, “poor body-image” and “absence of choice”. The payload of Storm Worm, and why it is possible to rent bot-nets (for those who want to enter a life of crime)

Yours,

Wolf “Can’t We all Just Get Along?” Halton

PS Can anybody tell me why the ship’s computer on the Enterprise, or the Millennium Falcon are not awash with viruses and malware?

Book Mark it-> del.icio.us | Reddit | Slashdot | Digg | Facebook | Technorati | Google | StumbleUpon | Window Live | Tailrank | Furl | Netscape | Yahoo | BlinkList