The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we're used to seeing. These days they're not piggybacking on real news items, they're starting to come up with new ones.



Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense,  as well as client side exploits next to centralizing all the participating domains on a single nameserver.



Domains used :

wapdailynews .com

smartnewsradio .com

bestvaluenews .com

toplessnewsradio .com

companynewsnetwork .com

goodnewsgames .com

marketgoodnews .com

fednewsworld .com

toplessdailynews .com

stocklownews .com



DNS servers :

NS.BRPRBGOK6 .COM

NS2.BRPRBGOK6 .COM

NS3.BRPRBGOK6 .COM 

NS4.BRPRBGOK6 .COM

NS5.BRPRBGOK6 .COM

NS6.BRPRBGOK6 .COM



Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :



Administrative Contact:

Lee Chung lee@likethisone1.com

+13205897845 fax:

1743, 34

Los-Angeles CA 321458

us



This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :



ns2.verynicebank .com

ns3.verynicebank .com

ns.likethisone1 .com

ns2.likethisone1 .com

ns3.lollypopycandy .com

ns4.lollypopycandy .com



Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them.
http://feeds.feedburner.com/~r/DanchoDanchevOnSecurityAndNewMedia/~3/351463114/storm-worms-lazy-summer-campaigns.html