Storm Worm new “Currency Theme” campaign begins
Posted by jeremy on July 21st, 2008
Looks like my prediction on the Storm Worm authors changing their theme within the coming days has just been confirmed. The newest Storm Worm Social Engineering theme is “Currency Based”, focusing on on the financial strains/concerns many Americans are facing now. The message is simple and to the point:
The U.S. Government began to realize the plan to replace the Dollar with the “Amero”, the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.
The adaption of a common currency named “Amero” for the North American Continent is not a new concept and does currently have some active supporters. Wikipedia has some solid information about the Amero here: North American currency union . Another interesting site I stumbled upon while looking for information on the “Amero” is “The Amero”, you can form your own opinion about the site.
Here is a current screen shot of the Storm Web page hosting up the newly named binaries:
This new Currency theme is only hosting one binary named: “amero.exe” and the same old javascript obfusticated exploit file “ind.php”, as you can see in the new webpage source code:
I have not seen any new spam pushing this new campaign yet, but I would suspect new spam and new Fast Flux domain names surfacing within the next 48 hours. I guess only time will tell.
July 21st, 2008 at 11:09 am
Yip, received the following spam mail today on my gmail account (incl headers):
Delivered-To:
Received: by 10.150.134.6 with SMTP id h6cs171972ybd;
Mon, 21 Jul 2008 09:15:42 -0700 (PDT)
Received: by 10.65.121.5 with SMTP id y5mr5171338qbm.36.1216656941454;
Mon, 21 Jul 2008 09:15:41 -0700 (PDT)
Return-Path:
Received: from tdev199-107.codetel.net.do (tdev199-107.codetel.net.do [200.88.199.107])
by mx.google.com with SMTP id u62si1461946pyb.23.2008.07.21.09.15.35;
Mon, 21 Jul 2008 09:15:41 -0700 (PDT)
Received-SPF: neutral (google.com: 200.88.199.107 is neither permitted nor denied by best guess record for domain of mm@ayz.com) client-ip=200.88.199.107;
Authentication-Results: mx.google.com; spf=neutral (google.com: 200.88.199.107 is neither permitted nor denied by best guess record for domain of mm@ayz.com) smtp.mail=mm@ayz.com
Received: from iwtg ([176.203.133.182])
by tdev199-107.codetel.net.do (8.13.3/8.13.3) with SMTP id m6LGIq4B026603;
Mon, 21 Jul 2008 12:18:52 -0400
Message-ID:
From:
To:
Subject: One Currency for Canada, U.S and Mexico – The Amero
Date: Mon, 21 Jul 2008 12:10:42 -0400
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”windows-1250″;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
AMERO to replace Dollar hxxp://121.147.133.107/
July 21st, 2008 at 12:03 pm
Thanks for the update.
July 21st, 2008 at 12:54 pm
I just got one of these in my spam box in my gmail account…pointing to 67.38.17.32 in this case.
July 21st, 2008 at 1:24 pm
Thanks for the update as well. It looks like several of you all are starting to see the spam come in. No new domain names just links directly to the IP address.
July 22nd, 2008 at 2:13 am
Another site… hxxp://68.51.193.78/
July 22nd, 2008 at 1:45 pm
Thanks for the info.
Here’s the email I just got:
—————————-
Return-Path:
Received: from sqyvdy (unknown [123.19.167.95])
with SMTP id F1F231C68046
Received: from anvyd ([110.146.213.201]) by sqyvdy with Microsoft SMTPSVC(6.0.3790.0); Tue, 22 Jul 2008 17:08:05 +0700
Message-ID:
From:
Subject: North American Union is the reality now
Date: Tue, 22 Jul 2008 17:02:17 +0700
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”windows-1250″;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499
—————————-
Body:
—————————-
Death of the U.S. Dollar hxxp://24.180.53.121/
July 22nd, 2008 at 10:33 pm
Another site…
hxxp://65.33.188.122/
December 18th, 2008 at 9:30 am
[...] – bookmarked by 3 members originally found by GangsterBarbie07 on 2008-11-22 Storm Worm new “Currency Theme” campaign begins http://www.sudosecure.net/archives/181 – bookmarked by 5 members originally found by ninjahobbit [...]