<<<
NEWS FROM THE LAB - Thursday, June 19, 2008
>>>
 

 
Storm Rumbles Beijing Posted by Patrik @ 05:56 GMT

One of the trademarks of the Storm gang's 18 month lifespan has been that they're very creative and current when it comes to their social engineering techniques, e.g. 1, 2, 3, et cetera. The latest variant is e-mail that arrives to your inbox reporting a violent earthquake in Beijing.

storm_beijing_earthquake_web


If you click on the link you are taken to a page which seem to contain a video that would show you these tragic events but if you click to see the video the site will ask you download and run a file called beijing.exe, which of course is not a video at all but the Storm trojan.

storm_beijing_earthquake_web


One thing that makes it a bit more difficult for a user to notice that the e-mail is in fact a Storm message is the fact that the links point to valid domains instead of IP addresses. This is not new for Storm but unusual as most of their links point directly to infected IP addresses.

So far we've seen the following domains being used and they are all fast fluxing:

   biztech-co.cn
   fconnorlaw.cn
   ratedhot.cn
   pacoast.cn
   cadeaux-avenue.cn
   tellicolakerealty.cn
   activeware.cn
   grupogaleria.cn
   polkerdesign.cn

The first time we saw Storm was when they sent out e-mails that reported violent storms going through Europe — that's why we named it Storm. At the time there were actually storms going through Europe.

The earthquake in Beijing has fortunately not happened. Speaking of Beijing and Storm, we are still expecting to see Storm, and other malware, use the Olympic games in August as a social engineering trick so be on the lookout for those in a few weeks.