Wednesday, October 24, 2007

VMware Server 1.0.4 on Ubuntu Server 7.10 (Gutsy Gibbon)

Note to self:
sudo apt-get install libxrender1 libxt6 libxtst6 libx11-6 build-essential xinetd linux-headers-2.6.22-14-server

I've heard VMware is available from one of the repositories, but I've not tried it. This is for installs from the downloaded tarball.

Thursday, October 18, 2007

Play that funky mus...stock spam, Storm

Storm has been sending out pump and dump spam for quite a while with everything from plain text to images to zips. Now, it's throwing MP3's at us. Here are two files below. So far, the subjects have been blank with "Re:" or "Fwd:".

Of note, the X-Mailer is "Microsoft Outlook Express 6.00.2800.1106" but that varies with each new iteration of storm. I've seen it claim to be Thunderbird in the past.

coolringtone.mp3
firstdance.mp3

Wednesday, October 17, 2007

Because there is no patch...

...for human stupidity. Which is why Storm keeps spreading. There is simply no excuse for people to continue infecting themselves. I'd take a stab and antivirus companies but they simply can't keep up. Until they all move to true behavioral-based detection, they won't be able to handle the flood of malware coming from the miscreants out there.

Today, Storm worm brings us a new attempt to infect people by getting them to believe that there's a new filesharing application called Krackin. Great!

Below are samples of the e-mails, screenshots and the javascript exploits.

Subject:re: krackin is released
Body:New Sharing network goes live. Check out Krackin here.
http://xx.90.44.73/


Subject:re: krackin is online
Body:Ok, last time I am sending you this linkman. LOL write it down or
soothing. This is krackin. http://xx.74.85.128/


Subject:man here is the link
Body:man here is the next huge sharing network. It is friggin awesome. Check
it out. http://xx.37.24.109/



Here's a text file of the javascript exploit code. Handle with care!

Thursday, October 11, 2007

Kitties say Storm is better than catnip!

Just when I think there's nothing new going on with Storm, in flies a few new e-mails. This time it has similar content as before, but with the hook being a cute, crazy kitty cat.

Subject: You have just received an ecard.
Body: Check out the original Crazy Cat Card. It is too funny for words.
http://75.4.70.217/


Subject: Check out your ecard.
Body: Click here to view your laughing kitty card online. http://74.138.11.91/


Subject: You've got a greeting just for you!
Body: Please click here to view your Crazy Kitty Card Online.
http://99.162.220.182/

Here's a screenshot of the page:

After looking at the source and downloading the Flash animation (the cat), I used Flare to extract any scripts. I found the the original file came from http://www.superlaugh.com/1/catnip.swf Both files were the same size but MD5's did not match.

movie 'catnip.swf' {
// flash 4, total frames: 127, frame rate: 12 fps, 360x450 px
frame 1 {
ifFrameLoaded (4) {
gotoAndPlay(3);
}
}
frame 2 {
gotoAndPlay(1);
}
movieClip 5 {
}
button 7 {
on (release) {
getURL('http://www.superlaugh.com', '_top');
}
}
movieClip 14 {
}
frame 125 {
gotoAndPlay(3);
}
}

The links on the page all go to SuperLaugh.exe which was caught by 70% of scan engines on Virus Total. Obfuscated Javascript was found at the bottom just like some previous versions. It looked to be the same exploits that have been being used on and off since I first started looking into Storm about a month or two ago.

Also, all the images, including the kitty Flash file, were sourced from the "/img" directory but it did not allow browsing of directories.