Storm Botnet Celebrates Birthday With Fireworks

Published: 2008-07-04
Last Updated: 2008-07-04 15:01:30 UTC
by Kevin Liston (Version: 2)
1 comment(s)

The Basics

I read about MX Logic's  prediction this morning (www.computerworld.com/action/article.do) that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure.  This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started.

There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe.

Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here: garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html  I'm sure that the list will continue to grow.  I'd recommend that you play it safe by blocking all attemtps to download fireworks.exe at your perimeter (your environment may vary, but I can't see any business justification for any executables named fireworks to be downloaded by my users-- I know "Kevin is no fun.")

Fireworks of Fireworks.exe

Russ McRee did a nice little write-up and visualization of the bots traffic.  I think it's prettier than what the lure-video promised.  It's available here: holisticinfosec.blogspot.com/2008/07/visualized-storm-fireworks-for-your-4th.html

So What?

A reader wrote in asking: "I am interested to know, how it is possible, that the storm worm is still able to be such a threat, that ISC needs to report about it?"

Great question.

My morning pre-caffein answer:

I don't consider these Storm Bot-net waves to be so much of a threat-- I consider them like an EICAR for an organization's incident response process.  If your security policies and incident response procedures are having difficulty with this kind of event, they both need some assistance and re-tooling.

 

Keywords: stormworm
1 comment(s)

Comments

“…If your security policies and incident response procedures are having difficulty with this kind of event…”

Well put, Kevin. I wish that * I * could be so succinct before my morning doses of caffeine!

In fact, the well-documented Storm activity is the specific example I cite when discussing ISC with others.

An organization such as my employer requires me to be more reactive than proactive, so the awareness is less of an EICAR test, more of a change to get a jump on the activity before the flood starts. Each little bit helps. What Johannes/The Boys/The Girls at ISC do is truly an invaluable service to limited, one-man IS shops like mine.

Now, if you’ll pardon me, I need to locate my next 2-litre bottle of wake-up juice…

Diary Archives