ESET Threat Blog

It has only been a day since the last strategy shift from the Nuwar gang and they have already gone away from the love letter theme.  By monitoring computers infected with Nuwar, we can keep track of their social engineering schemes.  They are now using a common theme used by the Zlob threat for a couple of months.  They use fake codecs to entice users into downloading and executing their malware.

The screenshot below shows that web pages are used to display advertisement of a codec (piece of software used to read certain video formats).  If a user clicks on the image or the text link, he is redirected to an executable named StormCodec.exe (detected as Nuwar.GG by ESET NOD32 Antivirus).  It is funny to note that the Storm Worm gang uses a name given by the security industry in their malware.  We also noticed that the latest scheme is not completely polished: the title of the fake codec page still reads “I love you”.

 The quick pace of changes in Nuwar’s social engineering is a proof that its controllers are paying close attention to the performance of their social engineering campaigns.  When they see that a theme is not efficient, they quickly change their strategy.  We are facing a rapidly evolving adversary!

Pierre-Marc Bureau

Researcher

Since Yesterday evening, the gang behind Nuwar (also called the Storm Worm), have registered a number of blogspot accounts to spread their malware. The malicious pages look like the following screen shot.

Clicking on the image will redirect the browser to an executable called love.exe while clicking on the link in the text below the image will download a file named withlove.exe. Both executables are variants of Nuwar. Our antivirus detects both files through our Web access protection module.

Pierre-Marc Bureau

Researcher

The gang behind Storm missed Easter but they were not going to miss two opportunities in a row! We are witnessing a new Storm campaign around the theme of April Fool’s day. Electronic mails are being sent with titles like "Happy April Fool’s Day.".The body of the message contains a small sentence and a link. The link points to a page that looks like the following screen shot.

The file that is downloaded automatically is called funny.exe. Upon execution, it will copy itself to the Windows folder with the name aromis.exe. ESET Antivirus detects this malicious file as Nuwar.CG. Nuwar also creates a file called aromis.config which contains the peer-to-peer network configuration file. This version contains the coordinates of 271 other peers that are contacted by newly infected hosts to join the botnet.

It is interesting to note that this version of Nuwar doesn’t use any rootkit technology and have stopped using kernel mode drivers. These behavior changes are clearly aimed at reducing detection rate by security solutions.

Pierre-Marc Bureau

Researcher