Tuesday, September 04, 2007

A Stormy Labor Day celebration

I did have a stormy Labor Day weekend in Hilton Head over the long holiday weekend, but my Inbox also received new copies of Storm worm hoping to trick users into infecting themselves. They either tell users they have a new e-card or there is a holiday greeting card waiting for them. The host with the malicious content has a cute Labor Day picture that links to "labor.exe"

All the same nasty obfuscated Javascript exploit code is still there and doesn't appear to have changed from what we were seeing last week.

Subject: Happy Labor Day
Body: Someone has sent you an E-Card. To view it, follow this link: http://ecards.com/funcard/edelivery?xz2dl2ifbi6r80hzk

Subject: The Big Labor Day Weekend
Body: Here is the link to view your holiday greeting online: http://hallmark.com/ecards/labor1?j7hesyq65ubntze680a1p67969wt2

Subject: Your friend has sent you a card.
Body: Click here to pick up your greeting card: http://netcards.com/cards/edelivery?p9n2q90enz4afj0

I do most of my javascript deobfuscation using technique #4 as detailed by Daniel Wesemann on the SANS Internet Storm Center site (http://isc.sans.org). I'll probably go over how I do it in a little more detail in an upcoming post.


Anonymous said...

I'm just wonderin why did you erase the sign of MR. bennet, the original maker of picture labor day? It's against copyrights. Thank you

John H. Sawyer said...

I'm not sure what "MR" sign you are referring to. This is a screen shot of a Storm worm infected machine that is hosting the Labor Day image and some malware.

If you would provide the information as to who created the image, I'd be happy to link to the original. The only reason I included it here is to show others how Storm worm was trying to dupe users into infecting themselves.

Grabbit Media said...

Thanks for sharing a useful information