New Year spam campaign rolls out start of 2011

The creators of the Storm/Waledac botnet mounted a spam campaign over the New Year holiday in a bid to appear as holiday e-cards.

It seems a bit strange given that the e-card method is so old it still thinks Bill Halley and the Comets are at the cutting edge of music and state university education is communism.

Basically users get a message with a header “Tom has created a New Year ecard” To view this page please click here” with an address which takes you to a server that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim’s machine.and sodomises your computer.

According to the insecurity exports at the Shadowserver Foundation the old ones are still good ones with a number of people falling for it. One of the reasons that it has been so successful is that it uses a list of IP addresses that is changing by the second,

The botnet can use fast flux to change the destination IP address of the redirect constantly, making it more difficult for researchers and authorities to track its activity.

The Shadowserver Foundation said that in some cases, the pages to which the user is redirected are using hidden JavaScript and exploits to try to install the malicious file on the victim’s machine.

Storm was particularly dangerous for a while. Then it died off. Now it pops up from time to time but never goes away. This time, for all its clever programming, the new Storm botnet is not as stable. The botnet has been repeatedly returning 503 Service Unavailable for most requests throughout the day. This includes both bot beaconing and requests for the fake greeting card website.

As a result it has been really hard to successfully download the malware from the network. The Foundation thinks that it might be a side effect of the fast flux DNS resolution. Still on New Year’s morning everyone is suffering from reflux of some sort or another.