From Dorf: Happy 4th of July

Independence day has always been a big event for our neighbors south of the border. For the Dorf (Storm) authors, this is no exception. After staying dormant for a day, the Dorf botnet launched the latest campaign at 13:00 PST. This time, they are using Independence day fireworks video as the lure.

Here’s a partial list of subject lines seen in the latest Dorf spam messages:

Amazing Independence Day salute
Amazing firework 2008
America for You and Me
America the Beautiful
Celebrate Independence
Celebrate with Pride
Celebrating Fourth of July
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Fourth of July
Happy Independence Day
Independence Day firework broke all records
Light up the sky
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you’ve ever seen
The best of 4th of July Salute
Well done 4th!

The body of the messages is similar to previous Dorf campaigns, with a one line phrase followed by an IP address, such as:

Amazing Independence Day salute http://xxx.xxx.xxx.xxx/
Amazing Independence Day show http://xxx.xxx.xxx.xxx/
Bright and joyful Fourth of July http://xxx.xxx.xxx.xxx/
Celebrate the spirit of America http://xxx.xxx.xxx.xxx/
Celebrating Fourth of July http://xxx.xxx.xxx.xxx/
Celebrations have already begun http://xxx.xxx.xxx.xxx/
Light up the sky http://xxx.xxx.xxx.xxx/
Proud to be an American http://xxx.xxx.xxx.xxx/
Stars and Strips forever http://xxx.xxx.xxx.xxx/
The best firework you’ve ever seen http://xxx.xxx.xxx.xxx/
Well done 4th! http://xxx.xxx.xxx.xxx/

Visiting the IP address would bring up a page with an “online video player” and a picture of fireworks inside the player. The following text is included below the image:

Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.

The website pretends to contain a video of fireworks

Users attempting to watch the fireworks video will instead be infected by malicious code.

The “video” links to an executable called “fireworks.exe”. In addition, the Dorf site also launches the 1×1 iframe “ind.php”. For Sophos customers, this latest Dorf campaign is a non-event. Our anti-spam solutions proactively detect these Dorf spam messages. With regards to the Dorf site, the executable is proactively detected as Troj/Dorf-BP. The obfuscated malicious javascript “ind.php”, is proactively detected as Mal/ObfJS-AY.

Veteran observers of the malware scene may well remember that this is not the first time that hackers have used fireworks in their attempts to infect computer users. At the tail end of 1998, the French virus writer Spanska used his Happy99 malware to display animated images of a fireworks display.