Tuesday, July 29, 2008

FBI & Facebook: Storm Worm gets it all wrong!

The newest version of Storm is out again . . . this time making claims about the FBI and Facebook.

The virus-laden website looks like this:



The subjects of the spam email messages, according to UAB's Spam Data mine, include:

F.B.I. agents patrol Facebook
F.B.I. busts alleged Facebook
F.B.I. Facebook Records
F.B.I. Looks Into Facebook
F.B.I. may strike Facebook
F.B.I. on the Hunt for Facebook users
F.B.I. tries to fight Facebook
F.B.I. wants instant access to Facebook
F.B.I. Watching Hezbollah in Facebook
F.B.I. Watching Possible Terrorists on Facebook
F.B.I. watching us
F.B.I. watching you
Facebook Coming Under F.B.I. Scrutiny
Facebook Coming Under FBI Scrutiny
Facebook's F.B.I. ties
Facebook's FBI ties
FBI bypasses Facebook to nail you
FBI can watch our conversation through Facebook
FBI Facebook Crime Survey
FBI Facebook Records
FBI Looks Into Facebook
FBI may strike Facebook
FBI on the Hunt for Facebook users
FBI tries to fight Facebook
FBI wants instant access to Facebook
FBI Watching Hezbollah in Facebook
FBI Watching Possible Terrorists on Facebook
Get Facebook's F.B.I. Files
Get Facebook's FBI Files
The F.B.I. has a new way of tracking Facebook

Although the earliest versions of the spam pointed to websites by their domain name, including:

CAUTION! VIRUS SITES BELOW!



http://BestValueNews.com/
http://CompanyNewsNetwork.com/
http://FedNewsWorld.com/
http://GoodNewsGames.com/
http://SmartNewsRadio.com/
http://StockLowNews.com/
http://ToplessDailyNews.com/
http://ToplessNewsRadio.com/
http://WapDailyNews.com/

The most recent versions used an IP address instead, such as:

http://24.12.169.217/ Comcast (Chicago)
http://24.152.149.120/ Earthlink
http://24.207.187.180/ Charter Cable
http://64.53.204.29/ WideOpenWest (Naperville, Illinois)
http://67.33.128.195/ AT&T (Atlanta)
http://67.36.183.52/ AT&T (Chicago)
http://68.191.113.190/ Charter Cable
http://68.23.168.178/ AT&T (Chicago)
http://68.51.193.78/ Comcast (Savannah, GA)
http://69.154.54.244/ AT&T (Texas)
http://69.246.107.179/ Comcast (Michigan)
http://70.121.49.136/ Road Runner
http://75.48.238.18/ AT&T (Kalamazoo, Michigan)
http://75.72.106.94/ Comcast (Minnesota)
http://166.82.171.132/ Windstream (Little Rock, Arkansas)
http://208.104.248.17/ Rock Hill Telephone Company (Rock Hill, SC)
http://208.126.51.68/ Butler-Bremer Mutual Telephone (netINS, Inc)

As with most emerging viruses, coverage for this malware in the anti-virus community is quite pathetic at the moment. They will certainly catch up soon, but the current scan at VirusTotal revealed only SIX of Thirty-Three AV products could detect this virus. Detection was not present for any of the leading AV products, including McAfee, Symantec, and Trend Micro. Microsoft also fails to detect at this time.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.