Storm Trojan now using real domain links in NFL Tracker scams
The so-called Storm (Worm) Trojan has been continuously changing the subject and body text used to trick victims into clicking on links which cause their computers to become part of the "Storm" Botnet. Previously, all Storm scam messages came in with numeric links to compromised Windows computers, on broadband connections, which were a clear giveaway to even the most casual recipient that something was not right. Then, at the beginning of September I began to see Storm scams that had the numeric IP destinations wrapped inside a fake domain name. The true, numeric destination was revealed by mousing-over the link, so it was still relatively easy to detect that the message was most likely as scam.
It is extremely unusual for hyperlinks to be numeric, but not totally unseen. Most websites use a "friendly name" for the domain; like example.com. On very rare occasions a website may not use a friendly name, usually when it is in transit from one server to another, and DNS changes need time to propagate throughout the name servers system. In the case of the webpages hosted on Storm Trojan infected computers the URLs had to be numeric. This was because the zombie computers did not have registered domain names. Instead, they have a small web server, called NginX, installed by the Storm Trojan, and are usually always connected to broadband Cable or DSL Internet Services, with infrequently changing IP addresses. Since the IP addresses of these zombie computers do occasionally change, due to rebooting the modem, or forced IP renewals by their ISP, the authors of the Storm Trojan had to come up with a new way to keep them available through changes in IP addresses, and they have done just that.
In a new twist to the previous numeric IP scam, the authors of the new scam are using free DNS services to point their parked domain name servers to always on cable Internet computers that are part of the BotNet. Thus, if the intended victim mouses-over the link it still displays the friendly domain name (e.g: example.com). If they are fooled by the scam pitch into clicking on that link, they will arrive at what looks like a standard, large web page all about the subject of the scam message. There will be lots of links on that page, just like you would find on a real web page. But, in this instance, what you don't know can and will hurt you!
See my extended comments for a more technical description about this new NFL Tracker threat.
Your best defense against the Storm (Worm) Trojan, in all of its incarnations, is to use common sense and not click on links in unexpected emails, featuring dubious text sales pitches. If you use anti-spam software you should train it to recognize what you recognize as spam, or scams.
I use MailWasher Pro to screen all of my incoming email. It uses a variety of methods to identify and deal with known, or suspected spam email, including custom filter rules that define the kinds of spam that are most common. I happen to write and publish three sets of custom filters for MailWasher. They are in direct response to the daily variations in email spam and scam threats that I see as I check my numerous accounts on 12 minute intervals. While my filters admittedly slow down the processing of your incoming messages, they provide a defined warning in the Status field, indicating what types of spam filters have been matched. The first two sets of filters only flag spam that is matched by my rules, leaving you to decide if they are truly spam, or legitimate - false positives.
filters.txt is the largest set with rules going back several years, including the most current rules.
filters2.txt uses a reduced set of the most current filters, which I use a more potent version of.
filters3.txt is what I call my Judge Dread rules, because they, like my personal filters, are set to automatically hide and/or delete anything that is identified as spam. I describe them as my "Murder-Death-Kill rules," as borrowed from the movie "Judge Dread." In the rare instances where a legitimate email is automatically deleted by a filter, I can review and restore that message from the MailWasher Pro Recycle Bin.
To recap, the authors of the Storm Trojan are constantly changing the subject and body text, in an effort to deceive more and more people and to accumulate the largest BotNet in the history of distributed computing. As of this week, it is estimated that the Storm BotNet has more computer and CPU power than all five of the World's top 5 Super Computers put together. The damage that has been, is and may come from this BotNet is beyond anything ever seen on the Internet, until now. If all of these machines are used in DDoS attacks there is very little that would be able to stand up to them. That includes websites, governments, even entire countries (The country of Estonia was effectively taken offline by a huge DDoS attack, earlier this year).
I strongly urge every reader of my blog to install the best anti virus and anti spyware software that you can afford, keep it completely updated and scan for threats every night.
About the destination web pages on Storm Trojan Zombie computers
The web page at the redirected location is typically about 32 kb in size (varies) and contains all manner of links supposedly allowing the victim to "track" the performance of their favorite NFL football teams or players, using a program called a "Tracker," or "NFL Tracker." What isn't obvious, unless you read the source code (as I do), is that every link on that page goes to the same local executable file. There is even an image that is a clickable image map, which also leads to the very same Trojan Horse file. In this football scam the file name will contain the word "tracker."
Visiting these Storm Trojan websites is extremely dangerous, as some have JavaScript exploits installed in the HEAD section. Even if they don't use JavaScript redirects, anybody clicking on the links will already be deceived into thinking they are installing a program to track a sports team (probably to place bets) and will not even be aware that they are infecting their own computers. Instead, they will cause their computer to become a Zombie in the Storm BotNet, to be used for who knows what criminal purpose.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.