Thursday, December 30, 2010

How to Block the New Fast Flux Botnet

The folks at Shadowserver have reported on a new spam campaign that, at first looked like the holiday e-card scams that have been around for many years.  After closer inspection of the details, it appears that it could be the next generation of Storm Worm or Waledac.

Below you'll find a list of subjects in the spam campaign reported by Stephen Adair in New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0?.  The e-mails are coming from all over the Internet with spoofed sender addresses.
Greeting for you!
 Greeting you with heartiest New Year wishes
 Greetings to You
 Happy New Year greetings e-card is waiting for you
 Happy New Year greetings for you
 Happy New Year greetings from your friend
 Have a happy and colorful New Year!
 l want to share Greeting with you (Shadowserver note: the first letter is an L)
 New Year 2011 greetings for you
 You have a greeting card
 You have a New Year Greeting!
 You have received a greetings card
 You've got a Happy New Year Greeting Card!
The email contains a link to a compromised website.  Clicking the link results in a redirect to one of the new malicious domains being used by the botnet.  As explained in the report, "these are fast flux domains that will frequently return a new IP address each time they are resolved."

From New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0?, the currently known domains hosting the botnet, whose purpose is to install malware, are listed below with the appropriate entry to add to your HOSTS file if you wish to block the domains.

If you use WinPatrol, it is easy to edit the HOSTS File, regardless of whether you are running Windows XP, Windows Vista or Windows 7,

  • Right-click on Scotty in the system tray to launch WinPatrol, selecting "Options".
  • Windows Vista and Windows 7 Users: Accept any UAC Prompts
  • Click "View HOSTS file", which will launch in Notepad
  • In Notepad copy/paste the following entries:

  • Click File > Save
  • Close Notepad
  • Close WinPatrol

If you do not use WinPatrol (you should!), you can manually edit the HOSTS file.  It just takes a bit more effort.

With default Windows installations, the HOSTS file is located at C:\Windows\System32\drivers\etc.  If you use Windows 7, it is necessary to first click on Start, type in Notepad and then right-click on Notepad and choose Run as Administrator.  Then, for all systems (Windows XP, Windows Vista and Windows 7), right-click hosts and select to open with Notepad. 

This is an example of what you will see when Notepad launches the HOSTS File:

# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#          # source server
#              # x client host

# localhost name resolution is handled within DNS itself.
#       localhost
#    ::1             localhost

After the last line in the HOSTS file, paste the entries below

Save and close Notepad. 

Your HOSTS file has been updated and those malware domains have been blocked.

Clubhouse Tags: Clubhouse, Security, Privacy, How-To, Information, Tutorial, Family Safety, Windows Vista, Windows 7, Windows XP,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: