Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Storm Worm - Invitations to become club members

Lightning The highly polymorphic storm worm has now been very quickly re-engineered.  Messages now attempt to invite folks into various social network clubs found on the Internet   This new attack is widespread, as all most 2 million infected users are participating in a HUGE Botnet that spams out countless copies.  This new threat is circulating extensively. The 1st sample message is tempting, as I really like cats, but I think I'll decline this invitation

Storm of the Day (Welcome Member)
http://isc.sans.org/diary.html?storyid=3298

QUOTE: Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs"

 

===================================

SAMPLES with malicious information removed

===================================

To: Harry
Subject: Your Member Info
From: "Cat Lovers" [EMAIL ADDRESS REMOVED]
Date: Tue, 21 Aug 2007 16:01:11 +0800

Subject: Greetings, Welcome To Cat Lovers.

User Number: 93275951895
Temp Login ID: user2686
Password ID: qt379

Please Change your login and change your Login Information.

Click on the secure link or paste it to your browser:
[DANGEROUS NUMERIC URL REMOVED]

Enjoy,

Confirmation Dept.
Cat Lovers


===================================


To: Harry
Subject: Internal Support
From: [EMAIL ADDRESS REMOVED]
Date: Tue, 21 Aug 2007 03:46:26 -0400


New Member,

We are glad you joined Ringtone World.

Confirmation Number: 1433249943
Your Temp. Login ID: user9096
Temp Password ID: od872

Your temporary Login Info will expire in 24 hours. Please login and change it.

Use this link to change your Login info:
[DANGEROUS NUMERIC URL REMOVED]

Enjoy,
New Member Services
Ringtone World


===================================


To: Harry
Subject: Membership Details
From: "Internet Dating" [EMAIL ADDRESS REMOVED]
Date: Mon, 20 Aug 2007 19:41:32 -0400


New Member, Here is your membership info for Internet Dating.

User Number: 23913334
Your Login ID: user8588
Temp Password ID: gj779

Please Change your login and change your Login Information.

Follow this link, or paste it in your browser:
[DANGEROUS NUMERIC URL REMOVED]

Enjoy,
Membership Support Department
Internet Dating


===================================


To: Harry
Subject: Welcome Letter
From: "Net Gambler" [EMAIL ADDRESS REMOVED]
Date: Tue, 21 Aug 2007 13:31:41 +0100


Greetings, We are glad you joined Net Gambler.

Account Number: 92687431
Temp Login ID: user1564
Temp Password ID: gf869

Please Change your login and change your Login Information.

Click here to enter our secure server:
[DANGEROUS NUMERIC URL REMOVED]

Enjoy,
Support Department
Net Gambler

Comments

buck said:

i got one of these emails.  why is the numeric web address so dangerous

# August 21, 2007 8:39 PM

Harry Waldron said:

Hi Buck - Excellent Question ... Specifically for the Storm Worm attacks, the URL contains malware that could automatically download and install on your PC.  Sometimes the website is taken off line by security firms.

Numeric URLs should be considered untrusted in email or websites unless you are familiar with the site based on past experience (e.g., sometimes websites will switch from a DNS to numerical representation).

# August 22, 2007 8:21 AM

boris said:

i got a mail like that (net gambler) and answered that I'm not aware of subscribing to such a thing.

am I in danger just by answering this mail. (the link was not working)

Kind regards

BORIX

# August 23, 2007 4:51 AM