<![CDATA[[SecurityRatty] tag: orthelike]]> http://securityratty.com/tag/orthelike Tue, 20 May 2008 03:46:40 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[All You Need is Storm Worm's Love]]> http://securityratty.com/article/3b6740ad1fcc1396cba8a4c6dbd8cb18 http://securityratty.com/article/3b6740ad1fcc1396cba8a4c6dbd8cb18 The Storm Worm malware launched yet another spam campaign promoting links to malware serving hosts, in between a SQL injection related to Storm Worm.

These are Storm Worm's latest domains where the infected hosts try to phone back :

cadeaux-avenue.cn (active)
polkerdesign.cn (active)
tellicolakerealty.cn (active and SQL injected at vulnerable sites)
Administrative Email for the three emails : glinson156 @ yahoo.com

Related DNS servers for the latest campaign :

ns.orthelike.com
ns2.orthelike.com
ns3.orthelike.com
ns4.orthelike.com
ns.likenewvideos.com
ns2.likenewvideos.com
ns3.likenewvideos.com
ns4.likenewvideos.com

Storm Worm related domains which are now down :

centerprop.cn
apartment-mall.cn
stateandfed.cn
phillipsdminc.cn
apartment-mall.cn
biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
ibank-halifax.com
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

One of the domains that is injected as an iFrame is using ns.likenewvideos.com as DNS server, whereas likenewvideos.com is currently suspended due to "violating Spam Policy". Precisely.

Related posts:
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game
]]> Tue, 20 May 2008 03:46:40 +0000 storm worm storm worm malware malware likenewvideos campaign valentine campaign orthelike domains sql injection All You Need is Storm Worm's Love