Storm Worm Goes Active Again and Odd Port 56893/TCP Probes

Two fairly interesting items tonight:

1) SANS is getting reports that the Storm worm is active again. This time sending messages attempting to draw victims to the “merry christmasdude.com” <take out the space> domain. As of 10:30 PM Eastern tonight, the domain is being flooded with traffic, but appears to be functional. SANS is suggesting applying domain blocks to the domain, and it would probably be good to add mail and other content filtering rules as well, if you are still using the blacklist approach. Here is the whois for the domain:

Domain name: MERRYCHRISTMASDUDE.COM
Creation Date: 2007.11.27
Updated Date: 2007.12.17
Expiration Date: 2008.11.27
Status: DELEGATED
Registrant ID: P4DHBN0-RU
Registrant Name: John A Cortas
Registrant Organization: John A Cortas
Registrant Street1: Green st 322, fl.10
Registrant City: Toronto
Registrant Postal Code: 12345
Registrant Country: CA
Administrative, Technical Contact
Contact ID: P4DHBN0-RU
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008@yahoo.com
Registrar: ANO Regional Network Information Center dba RU-CENTER
Last updated on 2007.12.24 06:17:35 MSK/MSD

2) Also, on a secondary note, we are getting a rapid increase in probes to TCP 56893. This port has been a known port for an SSH trojan and botnet deployment in the past. This may be related to the Storm worm activity or may be another bot group gearing up for activity.

It looks like the holiday is likely to bring a high level of increase in bot activity and as always, attackers will be looking for new machines received as gifts that will suddenly appear online and may be missing a patch or two. Make sure you give some advice to new techies and computer owners this holiday – patch early, patch often and make sure you build layers of defense against today’s emerging threats!