Web watchers warn of new Storm attack

The prolific Storm malware is on the attack again, according to the folks at the SANS Internet Storm Center (ISC). ISC handler Lorna Hutcheson wrote on the storm center Web site that the latest email attack includes a subject line that says “You’ve received a postcard from a family member!” From there, variations of the email text are as follows (WARNING: DO NOT CLICK ON THE URLs BELOW):
——–
OPTION 1
——–
Click on the following Internet address or
copy & paste it into your browser’s address box.
http://200xxxxxxxxxxxxxxxx
——–
OPTION 2
——–
Copy & paste the ecard number in the “View Your Card” box at
http://200.8xxxxxxxx
Your ecard number is 08a823e96272575cbcxxxx
Hutcheson says the Web site has some interesting javascript that “appears to have multiple ways to exploit a browser in order to compromise a system.” If javascript is enabled, she says, the user receives this:
MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7 which is a downloader that gets this:
MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab
She adds: “If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get MD5 (ecard.exe) = 30051dc10636730e4d6402ef8e88fd04.”
Here is what a user would see:
“We are currently testing a new browser feature. If you are not able to view this ecard, please click here (/ecard.exe) to view in its original format.”
From there, the ISC lists a bunch of other code variations and a long list of compromised home machines being used in the attacks.
This is just another reminder not to click emailed URLs if they don’t come from a trusted source.
Technorati Tags: Storm+Attack, Storm+worm
10  Comments on this Post