I anyone wants to see what a zero second fast flux looks like, there is new spam arriving for merrychristmasdude[dot]com (DO NOT visit this site; it is seriously evil; reported to MIRT already). If you go to a nslookup site like swhois.net and enter the domain name into the nslookup form, it gives you just one IP address. But if you enter it again, you get a different IP address. You can enter as frequently as you want and you'll rarely get a repeat.

Normally when you get spammed to a malware site, you can report it to the hosting service to get it shut down. But you can't do that with this site, because it's on a new network every second, occupying potentially thousands of IP addresses per day. That's why tembow's botnet reporting is necessary. I'm trying to find what registrar to report it to ("ANO REGIONAL NETWORK INFORMATION CENTER DBA RU", with its whois at nic.ru; nic.ru claims to be ICANN accredited, but I can't find any address for it on its site or the ICANN registrars list. (Maybe RBN, I guess).

Although the spamwiki botnet file for storm worm is down, I'm assuming this is also the storm worm botnet because both storm IP addresses and merrychristmasdude will display the same small image if you look for any gif file (eg, if you find an IP address is 123.123.123.123, then 123.123.123.123/text.gif will display the image). Last week it was stock spam, but now it's a tiny icon of some sort.

FYI...

Anticipated Storm-Bot Attack Begins
- http://isc.sans.org/diary.html?storyid=3778
Last Updated: 2007-12-24 03:41:39 UTC

More... screenshot available here:
- http://www.disog.org/2007/12/stormworm-is-back-have-merry-christmas.html

and another ref:
- http://asert.arbornetworks.com/2007/12/storm-is-back-dude/

I can see that clicking on the pictures downloads stripshow.exe. But does anyone know what the iframe is doing?

Updated:

- http://isc.sans.org/diary.html?storyid=3778
Last Updated: 2007-12-24 13:11:38 UTC ...(Version: 3)
"...nice and tidy analysis available at: http://holisticinfosec.blogspot.com/2007/12/storm-bot-stripshow-analysis.html
...There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes. User awareness, as always, is your strongest defense. Cheers and happy holidays, except for you RBN a$$h0735."

.

Kinda strange...I've seen a bunch of these and SpamCop will not report the IPs...I've seen comcast IPs and Charter IPs as I kept refreshing my report page, but all of them stated ISP refuses reports or whatever crap...

So whatever...I sent out some manual reports to the abuse addresses for some of the IPs that SpamCop returned.

There is little point reporting the site hosting merrychristmasdude[dot]com through spamcop. Fast flux means when the folks on the help desk get the spamcop report and check that URL, they'll find it is hosted on someone else's network. It is totally random which IP it will be at when spamcop parses it or when the help desk researches it. You not only need to tell the ISP the IP address, you need the date and time it was observed there, and you have to make sure the help desk person is familiar with fast flux so they know not to expect to see it at the same IP address when they check. So for these, while I do leave the box checked for spamcop reporting, I write a note in comments to let them know what's going on.

Yea, I leave a note too regarding these sort of sites when I see them, with links to this thread too (since it points out the 0-delay effect this one has- and only displays one IP at a time/per refresh).

Another one I received today is 'uhavepostcard.com' (reported to MIRT), offering a download of 'happy-2008.exe'. Same registrar; reports bounce with "Delivery Status Notification (Delay)". Meaning, so far nobody has been notified.

Same principle; different IP address every time it's checked.

A list of 'Subjects' used in the 'New Year 2008' version of the ecards can be found at http://isc.sans.org/diary.html?storyid=3784

The IPs for Storm are being reported to all of the ISPs several times per week. See the Botnet Tracker thread.

More updates:

- http://isc.sans.org/diary.html?storyid=3784
Last Updated: 2007-12-25 19:36:34 UTC ...(Version: 3) -"...As with 'merry christmas dude.com', this domain appears to be registered through nic.ru. It also appears to be hosted on the same fast-flux network, now with at least 8000 nodes. If you go to that web site, currently the malware file is 'happy2008.exe'. We will add more analysis details throughout the day as we get them..."

New Years Storm deja vu
- http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html
December 25, 2007 - "...it copies itself to C:\WINDOWS as disnisa.exe... better AV coverage now that this variant's been around for a few days..."

.

All nic.ru email addresses bounce. Has anyone tried to send them a complaint via fax? (http://www.nic.ru/about/en/)