The Storm Worm (a.k.a. NuWar) keeps bringing foul year-end weather to email inboxes this week, determined to usher the new year in with a bang.
The spammed message may be as simple as this:
First, don’t click on that link.
In fact, it may be a good idea to be suspicious of any email arriving in your inbox that wishes you New Year’s greetings, especially if it asks you to click on a link to retrieve it.
What makes these malware domains difficult to take down is the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their “window of opportunity” due to registrar operation hours during the end-of-year holiday.
As you can see from the partial screenshot above, newyearwithlove.com is built on a “double flux” fast-flux network of Storm-infected PCs for DNS resolution and nameservers — making it extraordinarily difficult to “swat” without simply taking down & disabling the malicious domain itself. This is a portion of the complex technical methodology I mentioned above.
As to contacting the registrar where this domain was initially registered — well, that’s where the second part of the “cleverness of maximizing their window of opportunity” comes into play. As Richard Cox of Spamhaus pointed out on the Botnets mailing list, the criminals who planned this attack were indeed clever — they ran all their malware domains (which the victims click on to download their “greeting cards”) on fast-flux botnet hosting, relying on the Russian ccTLD Registrar NIC.ru to do the updates.
Unfortunately for all of us, NIC.ru is closed for Christmas and New Year — not returning until 9 January 2008.
Many people have tried to contact NIC.ru, both by telephone (during their advertised business hours) and by e-mail, but NIC.ru does not reply. Ten or so more days of availability — at the very least — will more than likely contribute to these criminals building an even larger botnet, capable of immense badness.
These criminal operatives are big trouble, and these sorts of tactics and techniques have made the Storm botnet the “Energizer Bunny” of botnets — it just keeps going, and going, and going…
In any event, Trend Micro customers are protected — we are working over the holidays to ensure that we keep a close eye on these guys and to ensure that we provide detection for each variation of this (and undoubtedly more to come) malware and Web threats.