Wednesday, February 13, 2008

Happy Valentines Day

I consider myself pretty good when it comes to determining what is real e-mail and what is fake phishing e-mail. I must admit though over the past couple months they have been getting pretty good. From ebay e-mails asking me questions about an item I am selling to paypal e-mails trying to get me to update my security settings. All of them made me take a second look and ask myself... Am I selling anything on ebay?

Recently though over the past couple days I have been flooded by e-mails titled: “My Heart for you,” “What is Love,” “Just for you,” “Phone Love,” “Is anything as beautiful as a rose,” “I like you,” etc. When I open each of there they usually have a short message saying “I love you” and a link to some crazy site like moonstarfood.com or destroythemoon.com. Honestly does anyone fall for these?

I am assuming the smarter phishing scams such as ebay and paypal duplication e-mails must not be gaining the collective gullible folks like they used to. They seem to have returned to the ideal of spamming hundreds and hundreds of e-mails out and hopefully one returns positive! The one in a million attack.

Just to see what all you need to do to get infected, I figured I would click on a link (using my mac) and see what happened. The first couple sites didn’t even resolve, meaning the officials must have already shut those down, but the third one did.

I was sent to a website displaying a heart and a message saying “Your download will begin shortly.” Below that was a message which stated “If your download does not begin automatically click here and choose run.” I did as it said and it tried to send me a file called withlove.exe (which my mac did not know what to do with). I saved it on my desktop for later dissection.

Looking through this file it seems to do the following:
1) Disable AntiVirus
2) Opens some ports to listen for incoming commands from the master computer
3) Begin to send out more of this “I Love You” SPAM mail.

After doing some research this latest attack seems to be the work of the infamous Storm Worm. For those of you who have not heard of Storm Worm, it is a botnet of about a million computers which are under control of this group called The Storm Factory. They use all these computers to fill up our inboxes with SPAM. The question is why? As I mentioned in the update to “Who is You,” the motivation behind the attacks is more important then the attacks itself.

What is to gain by this? Growth of course, but why does Storm Worm need more computers? The million or so they have now sends me about 1 e-mail every 15 minutes (When I turn off SPAM filters). Somehow I don’t think 1 every 10 minutes is going to trick me into falling for this.

Most security professionals are worried about the the use of these Million computers as a Denial Of Service Tool. If each machine tried to access a website, they could effectively take down the website. But they haven’t done that yet (at least not that I know). Maybe they could use these computers to fold proteins or search for extra life (SETI). Would this be such an urgent problem then? What if they just applied patches to fix the systems.

This group has been doing this for each holiday. Christmas, Super Bowl, Thanksgiving, etc. However the best defense against this may be the fact that this is done for Valentines Day. Christmas is when you get in touch with long lost friends, etc, but Valentine’s Day is usually something celebrated between couples who hopefully know each others name and style of e-mails!

My question to the group: If this was all done for the good of the individual would it be a bad thing?

Nate Evans
ISEAGE PBS Leader
The Krell Institute

Labels: , , ,

1 Comments:

At 1:29 PM, Blogger Professor Steffen Schmidt said...

Awesome! This is just the kind of exercise we want to know about. I hope our bloggers and subscribers known NOT TO DO THIS ON THEIR Windows PC! In other words, DON'T try this at home!

 

Post a Comment

Links to this post:

Create a Link

<< Home

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft