Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information

Shortly before 1600 GMT 25-DEC-2007 we got a report  indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL)   NOTE: Please do not blindly go to this URL -- there is malware behind it.

The message comes in with a number of subjects and body-text.  The one line message bodies are also being used as the subject lines.

Seen So Far:

A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year

Update 1:

Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You

Thanks to David F for the initial report.

We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.

Under The Hood

As with 'merry christmas dude.com',  this domain appears to be registered through nic.ru.  It also appears to be hosted on the same fast-flux network , now with at least 8000 nodes. 

If you go to that web site, currently the malware file is 'happy2008.exe'.  We will add more analysis details throughout the day as we get them.

Update:

Russ has posted an update to his blog entry from the other day with information about the newest Storm Worm.  His blog posting is available at http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html
 

David Goldsmith (dgoldsmith -at- sans.org)