sudosecure.net

Early January or maybe even late December I started tracking the Storm Worm with a Perl script I created that would go out and grab the current binary and store it locally for me. Just recently I decided to start this website and well my first real content addition is a web interface I titled "Storm Binary Tracker" which gives the world access to some of the Storm Worm binary information I have obtained. The scripts to do this are all fairly basic and I may release them at a later date, but right now they are full of bad code practices, so I really need to clean them up first.

My binary database is just a small portion of what I have been tracking and holds ~1,300 indexed binaries as of today. I have also been tracking the unique IP addresses associated with Storm Worm web servers found through DNS scripts querying the fast flux domain names and have collected ~65,000 as of today as well. If you would like a copy of this second list just shoot me an email at jeremy [at] sudosecure.net and I would be happy to send it to you. I may also start hosting this file online at a future date, but as of right now you can only get it through email.

Well enough about the scripts and let me now tell you about some of the things I have learned about the Storm Worm. First the binaries do change very regularly as many others have noted, but one oddity in this is from February 12th around 21:00 Central Standard time till February 23rd around 19:00 Central Standard time the Storm Worm binary took on an almost dormant state. Maybe this was just by chance and my scripts found old servers during that time frame, but the binary name stayed "valentine.exe" and the MD5 hash stayed "d41d8cd98f00b204e9800998ecf8427e" the entire time. I remember thinking something must be wrong with my script, but I double checked several sites manually and had the same results. Another oddity I confirmed after reading about it on another site while analyzing the binary is the XOR encryption key used to encrypt the eDonkey bot traffic never changes.
This key value is "f3aa580e78de9b3715742c8fb341c550337a633de613df6c46cabe9a77489402c0f36649ee8721bb9b". Writing a simple script to just loop through a pcap file and decode it by XORing it against the key will leave you with plain old eDonkey protocol that you can then use wireshark to analysis if your interested. If you don't want to write the script just Google around you will find several people have published scripts to do this.

One characteristic that has held true through out the time frame I have been tracking this worm is it's hosting website trickery seems to work fairly well and changes often. I have seen it use all types of JavaScript trickery such as the unescape function to mask the binary name and just recently it is hosting three different titled binary files. They are ecard.exe which is downloaded automatically if after 5 seconds using a META tag in the header, e-card.exe which is downloadable through a standard hyperlink on the page titled "Click Here", and finally postcard.exe which is accessible by clicking the image on the page. The web page is very simple, and looks almost valid. Here is a snapshot of what the page currently looks like: