0

New Storm Campaign and Domains

August 4th, 2008 — bjou

Now I am not a tracker of storm campaigns nor binaries, I am just a casual binary analyst, but today while running a storm gateway for research purposes, I found some new domains going along with the revisited love theme and its postcard.exe.

worldpostcardart.com
superlettercard.com
yourlettercard.com
freepostcardonline.com
digitalaudiopostcard.com
lettercardadvertising.com
bestlettercard.com
audiopostcardmail.com
supergreetingcard.com
oldpostcardshop.com

While all the above domains have been created on August, 2nd, the following domain offers the Nameservers and has been created on July, 28th

brprbgok6.com

Diging these domains returns one IP with a TTL of 60 seconds, indicating Fast-Flux. I have not investigated earlier campaigns, but I wondered why only one IP was returned; typically for Fast-Flux, there is a whole bunch of short-lived IPs returned for one domain name.

The campaign’s website is kept simple:

Your download will start shortly. If you are unable to see your postcard, save it in and run on your computer.

The Binaries’ AntiVir Detection Rate is 19/36 (52.78%)

As I am the first to blog this and as I am currently not running a Storm Spambot, I guess we need to wait for Jeremy to fire up his automated extraction scripts for more insight on the respective spam messages ;)

Update Aug 6th: Today I found more information on the spam messages at the Trend Micro Blog: http://blog.trendmicro.com/storm-uses-old-bait/.
Took them some time though…

Posted in Geek Talk, IT-Security. 9 Comments »

9 Responses to “New Storm Campaign and Domains”

  1. Anne Says:
    August 5th, 2008 at 8:58 am

    I’m glad I found this blog. I got one of these e-cards today and they told me to go to superlettercardDOTcom to see it.

    I was suspicious, because my neighbours don’t send me e-cards. :) So, no harm done.

  2. Erwin Says:
    August 5th, 2008 at 12:56 pm

    Today I received a harmless looking email with the message that my flatmate has sent me an e-card through “audiopostcardmail.com”.

    Since I don’t live in a flat, that made me wonder…. Using Google, I stumbeled on this site.

    Interesting….. ;-)

  3. Brenda Says:
    August 5th, 2008 at 1:48 pm

    WOW – I am really super glad I got that “whoa, wait a minute feeling”. All I need was to do something to my husband’s computer, My brother was in a serious motorcycle accident with his wife yesterday, then my husband’s bike was stolen right out of our back yard in broad daylight just minutes after he parked it yesterday afternoon. Nothing like adding a messed up computer to that mess. Thanks for informing. Your really saved us.

  4. Jenny in Ned Says:
    August 5th, 2008 at 4:58 pm

    Oh dear, I clicked on supergreetingcard.com already. What can we do at this point?

  5. Bea Says:
    August 5th, 2008 at 10:59 pm

    Hi, I have a question. I just got an email about a card from yourlettercard.com, but I can’t find the site. The email is a few days old so it might be gone already. I have an important friend who does communicate by cards, and because of his family’s religious objections to mine – does usually put them down under something anonymous. So what is going on? Are they all bad? All viruses? Did they take the site down? I can get to only about a half of the previous part of this conversation, and I’m trying to fill in the blanks. I really need to get to this card if it is genuine – then again I have been having one of the worst weeks of my life – I do not want to add ruining my computer to everything else that has happenned. Thanks, SO what is the head’s up on this situation?

  6. Chuck B Says:
    August 6th, 2008 at 2:45 am

    Return-Path:
    Received: from noehlo.host ([127.0.0.1])
    by pickering.mail.mindspring.net (EarthLink SMTP Server) with SMTP id 1kq1cZ4T43Nl3p20; Mon, 4 Aug 2008 10:38:49 -0400 (EDT)
    Received: from xxejsf ([92.67.214.89])
    by pickering.mail.mindspring.net (EarthLink SMTP Server) with SMTP id 1kq1cY5c13Nl3p20
    for ; Mon, 4 Aug 2008 10:38:48 -0400 (EDT)
    Received: from pzsh ([75.215.65.167]) by xxejsf with Microsoft SMTPSVC(6.0.3790.0); Mon, 4 Aug 2008 15:38:49 +0200
    Message-ID:
    From:
    To:
    Subject: You Have An Ecard
    Date: Mon, 4 Aug 2008 15:38:49 +0200
    MIME-Version: 1.0
    Content-Type: text/plain;
    format=flowed;
    charset=”windows-1252″;
    reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1506
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
    X-ELNK-Received-Info: spv=0;
    X-ELNK-AV: 0
    X-ELNK-Info: sbv=4; sbrc=+0; sbf=bb; sbw=000; sbr=+

    Somebody made you this card from OldPostcardShop.com.

    If you would like to see your Card, click on the following link.

    http://OldPostcardShop.com/?539e3b14a79bb24c4d

    (c) 2001-2008 OldPostcardShop.com.

  7. bjou Says:
    August 6th, 2008 at 8:37 am

    All the domains mentioned above are definatly bad! So DO NOT visit them. If you already did you might be lucky if you did not download the postcard.exe and executed it or if you have a patched and up-to-date system browser. Download a virus scanner if you did (free-av.de) and check your system.

  8. Dale Says:
    August 7th, 2008 at 11:10 pm

    HI I have downloaded the postcard and cant delete it off my computer. What should I do????

  9. Liza Says:
    April 24th, 2009 at 11:02 am

    I can tell that this is not the first time at all that you write about this topic. Why have you chosen it again?

Leave a Reply

« Interesting Pattern in Storm Worm Traffic

New Fast-Flux Domains served by Warezov/Stration »
 

You need to log in to vote

The blog owner requires users to be logged in to be able to vote for this post.

Alternatively, if you do not have an account yet you can create one here.

Powered by Vote It Up