A detailed analysis was provided, here, on the new version of the Storm Worm making it's rounds this week. I went looking in our logs for HTTP POSTs to three and four character GIF and JPG files with relatively small request and response sizes (<1000 bytes). What I found was a number of transactions to 91.212.127.114 (on Telos, no PTR record).
A small snippet of transactions:
There is a ThreatExpert report on the related server / malware, which is identified as Email-Worm.Zhelatin (name used by Kaspersky and F-Secure for the Storm Worm). The infected hosts connect out to mail servers in attempts to mass-mail and infect others. Here is a list of some of the email servers that it connects to:
Keep an eye out for these types of transactions within your networks.
Blog Zscaler
Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta
Iscriviti
Grazie per aver letto
Questo post è stato utile?
Scopri altri blog di Zscaler
Agniane Stealer: Dark Web’s Crypto Threat
Leggi il blog
The Impact of the SEC’s New Cybersecurity Policies
Leggi il blog
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Leggi il blog
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Leggi il blog
Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta
Inviando il modulo, si accetta la nostra Informativa sulla privacy.