The Storm Worm (a.k.a. NuWar) keeps bringing foul year-end weather to email inboxes this week, determined to usher the new year in with a bang.

The spammed message may be as simple as this:

First, don’t click on that link.

In fact, it may be a good idea to be suspicious of any email arriving in your inbox that wishes you New Year’s greetings, especially if it asks you to click on a link to retrieve it.

What makes these malware domains difficult to take down is the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their “window of opportunity” due to registrar operation hours during the end-of-year holiday.

As you can see from the partial screenshot above, newyearwithlove.com is built on a “double flux” fast-flux network of Storm-infected PCs for DNS resolution and nameservers — making it extraordinarily difficult to “swat” without simply taking down & disabling the malicious domain itself. This is a portion of the complex technical methodology I mentioned above.

As to contacting the registrar where this domain was initially registered — well, that’s where the second part of the “cleverness of maximizing their window of opportunity” comes into play. As Richard Cox of Spamhaus pointed out on the Botnets mailing list, the criminals who planned this attack were indeed clever — they ran all their malware domains (which the victims click on to download their “greeting cards”) on fast-flux botnet hosting, relying on the Russian ccTLD Registrar NIC.ru to do the updates.

Unfortunately for all of us, NIC.ru is closed for Christmas and New Year — not returning until 9 January 2008.

Many people have tried to contact NIC.ru, both by telephone (during their advertised business hours) and by e-mail, but NIC.ru does not reply. Ten or so more days of availability — at the very least — will more than likely contribute to these criminals building an even larger botnet, capable of immense badness.

These criminal operatives are big trouble, and these sorts of tactics and techniques have made the Storm botnet the “Energizer Bunny” of botnets — it just keeps going, and going, and going…

In any event, Trend Micro customers are protected — we are working over the holidays to ensure that we keep a close eye on these guys and to ensure that we provide detection for each variation of this (and undoubtedly more to come) malware and Web threats.

It’s the season of giving and unfortunately, malware authors are feeling generous.

A Trojan detected by Trend Micro as TROJ_PPDROP.K is being spammed through email as a PowerPoint slideshow with the filename Merry Christmas.pps-1. When the user opens the file, it exploits an older, known vulnerability in unpatched Microsoft Excel versions — which then extracts and executes another file, Merry Christmas.exe-1 — detected as BKDR_AGENT.ADGS.

This backdoor then injects into Outlook Express, gathering email account credentials and webmail logins, which it then sends to a specific email address.

Trend Micro highly recommends that Microsoft Windows users regularly and promptly install security patches on their systems, as well as all of their Microsoft Office (and other third-party) applications to avoid being affected.

Also, it is always a good idea to be cautious handling any unsolicited mail and their associated attachments.

Cybercriminals wasted no time riding on the tragic and shocking news of former Pakistan Prime Minister Benazir Bhutto’s assassination, as Websense discovered a number of malicious Web sites that came up on Google search results using the simple search term “benazir.” These sites attempt to infect users who want to know more about the unfortunate incident.

TrendLabs researchers found that one of the sites in question indeed has an embedded malicious JavaScript redirect, which Trend Micro detects as JS_AGENT.AEVE.

The malicious script downloads a Trojan (already detected TROJ_SMALL.LDZ), which in turn downloads more malicious files, namely WORM_HITAPOP.O and TROJ_AGENT.AFFR.

A graphical representation of this routine is as follows:

Upon further investigation, however, TrendLabs found that there is a host of other news sites and blogs taking advantage of this news.

Moreover, the malicious JavaScript is apparently not exclusive to news sites — it is also present in other Web sites with a broad scope of topics and interests. There are many other sites that have been possibly compromised (or that include the malicious JavaScript), including Autoworld, Vino, Dogpile, MSN, BlogSpot (yes, again), etc.

According to Trend Micro Advanced Threats Researcher Paul Ferguson, searching for this same malicious JavaScript code URL (the malicious script) yields 4,240 results. If the search is narrowed down to also include “benazir,” there would be only 103 results.

All related malicious URLs are already blocked by the Content Security Team and are thus inaccessible to Trend Micro customers.

We discovered more holiday mischief while further digging into fake codecs, which Sunbelt most recently blogged about.

Poisonous Blogs

As discovered by Sunbelt, certain Google queries may lead you to certain blog sites that require the download of a “codec” that is actually a variant of the ZLOB malware.

These blogs seem to be recently created; entries were all posted just this December.

Blog titles revolve around topics related to Christmas such as Santa Claus and Christmas movies, but the scope is also extended to Christmas-related activities, such as cooking (recipes of Christmas dinner?), road conditions (traveling to spend the holidays with in-laws, relatives, or friends?), and gadgets (as gift items?).

Some topics outside the holidays revolve around sports, celebrities, and digital media.

Blog titles can be as broad as “wheres santa” or as specific as “is walmart open on Christmas day.”

These blog entry topics are obviously chosen to suit specific searches that Internet users the world over are making these days.

In order to increase their search engine result ranking (SEO poisoning), the blog entries’ bodies are composed of sentences containing the search keywords/blog entry title.

These sentences seem to be sourced from various sites and it is highly possible that the perpetrators used Web scrapers to fill the contents.

As of this writing, there are probably thousands of blog sites that use this modus operandi. Just to give you an idea on how large this might be, here are some of the sites we discovered (emphasis ours):

• f-video(dot)blogspot
• f-videoa(dot)blogspot
• f-videob(dot)blogspot
• f-videoc(dot)blogspot

up to…

• f-videoz(dot)blogspot

and…

• tv-videoa(dot)blogspot
• tv-videob(dot)blogspot
• tv-videoc(dot)blogspot

up to…

• tv-videoz(dot)blogspot

The middle-men

No matter how numerous the blog sites involved, they all point to any of these domains when the user clicks on the play button: siski.cn, obebos.cn, somemisc.info, and video.googl.name.Here are the pages the user will encounter when redirected to any of the four sites:

OBEBOS.CN and SISKI.CN

SOMEMISC.INFO

VIDEO.GOOGL.NAME

Of the four, video.googl.name is the most interesting because it pretends to be a video repository site (notice the search box on the top right corner of the page).

The amazing thing about video.googl.name is it contains all the videos you’ll ever want! When using the search feature, the site will always return a result, that will, of course, require you to download a “codec” to successfully play.

Messing around with the site, an absolutely absurd search for “TARANTELLABEERMANIA PARTYGATECRASHER” will incredibly give this result. Beat that!

Finally, the “codec”!

The actual download of the “codec” will only happen should the user decide to click the Continue button.

Both obebos.cn and siski.cn will point the user to shockbabetv(dot)com to download the ZLOB Trojan, while somemisc.info and video.googl.name will download the ZLOB Trojan from 82(dot)103(dot)137(dot)14.

Shockbabetv(dot)com already has a history of hosting these Trojan malware while 82(dot)103(dot)137(dot)14 is somewhat new, as we’ve seen this only this December.

Seeing how this is my first post to the Trend Micro malware blog, it is with some regret that it involves a renewed, year-end effort to increase the size of perhaps the most prolific botnet on the planet.

There appears to be two separate ongoing issues with malicious content and Blogger, the free Google blogging service.

The first one, which has been ongoing, but seemingly renewed with a vengeance, is the malicious nature of “fake” video which requires the user to install a new codec, and in turn, infects them with a ZLOB Trojan.

My colleagues over at Sunbelt Software blogged about this yesterday here.

However, in the past 24 hours, there seems to be hundreds of blogs which have appeared that now have singular links to a set of fast-flux servers that infects the user with the Storm Worm (a.k.a. NuWar — Trend Micro detects this as WORM_NUCRP.GEN). These “blogs” have nothing more than a reference to a “…Wishing You a Happy New Year…” or something similar, and a link to one of the server names which will infect the user with the Storm Worm.

Some of the “blogs” appear to be legitimate, some don’t — it’s hard to say. It’s also difficult to determine whether these are older blogs that haven’t been updated in a while (and somehow unauthorized access was gained to them), or perhaps bad guys just created a bunch of bogus blogs and planted this stuff, or what.

In any event, if you see any links like the ones in the partial screenshot above, don’t click on them.

And take a quick second or two to report them to Google as malicious.

Let’s have a safe & Happy New Year out there!

- Paul “Fergie” Ferguson, Advanced Threats Research