New F.B.I. vs Facebook Storm Wave (July 31, 2008)
July 31, 2008
Storm worm authors have changed their spam campaign which now involves fake news story about the FBI and Facebook. Starting July 29, 2008, a new wave of storm e-mails are being spammed with following subjects:
- F.B.I. can watch our conversation through Facebook
- FBI agents patrol Facebook
- FBI may strike Facebook
- FBI on the Hunt for Facebook users
- F.B.I. bypasses Facebook to nail you
- F.B.I. Looks Into Facebook
- F.B.I. are spying on your Facebook profiles
- F.B.I. busts alleged Facebook
- Get Facebooks F.B.I. Files
- Facebooks F.B.I. ties
- F.B.I. watching you
- The FBIs plan to profile Facebook
- The FBI has a new way of tracking Facebook
In this new wave, they are using IP Addresses or a domain in the URL spammed via e-mail. Here are a few examples of such e-mails:
The user will see the following page when he or she clicks on the link in the e-mail:
The email contains a fake message related to the FBI and facebook. If the user clicks on the link on the page, it will prompt to download fbi_facebook.exe file which is the new variant of Storm worm.
It also drops the following files on the system:
C:WINDOWSglok+serv.config C:WINDOWSglok+59e6-7783.sys
It also creates a new service for the glok+59e6-7783.sys and runs it.
SonicWALL detects this new wave with following signatures:
GAV: Zhelatin.ZI (Worm) – Released on July 23, 2008
GAV: Zhelatin.ZM (Worm) – Released on July 29, 2008
GAV: Zhelatin.ZM_2 (Worm) – Released on July 30, 2008