We’ve been receiving all sorts of new mail from the Storm threat’s authors. The latest to arrive at our office accounts is a message appealing to football fans. With college and pro football underway in the states, this social engineering is sure to attract some individuals. Here is the text of the email message:
“Life as we know it is back, NFL season is open.
Know all the games, what time, what channel and the stats.
Never be in the dark again with this online game tracker:
http: // ip.address.he .re”
Here is a snapshot of the site offering the “tracker.exe” file that potential victims will reach by clicking on the email message’s link. DO NOT visit the site if you receive the email, and DO NOT download and run this “tracker.exe” file:
Every link on the page, including the “Peyton Manning” link, will fail to download a couple of times, frustrating and confusing the user. Three’s a charm, and the tracker.exe file will download to your machine. Again, do not download and run the file. It installs all sorts of rootkit components and executables that you do not want on your system.
The authors have been somewhat inconsistent with this version of the multi-layered threat. They haven’t incorporated the commoditized exploits that attack Internet Explorer, Firefox and third party components like the Yahoo! Messenger into this web page, like they have on all of their other recent attack sites. The tracker.exe executable doesn’t change with every download, either. Maybe we are very early on in this stage of the spam/website setup, or a different part of the group set this server up.
The location of this server, most likely another Mac OSX server, is somewhat unusual for this group as well. Geobytes tells us that it is located in Tujunga, CA:
Peyton Manning? They probably could have pwned my system with a Brett Favre link.