sudosecure.net

It looks like the Storm worm authors have finally got their DNS issues worked out and have started repairing the overall botnet structure. I wonder how much money is lost when a spam sending botnet the size of the Storm Worm is down for longer than a few days? I would bet it is a lot. Anyways it looks like the Storm Worm Web servers do not have an index page defined yet, but I bet that this configuration is short lived. I was only able to grab these files or pages from a Storm Worm server during my testing: ind.php, load.php, sony.exe, loveyou.exe, and iloveyou.exe. The iloveyou.exe and loveyou.exe are identical binaries with the same md5sums, and here is there VirusTotal results. The load.php and sony.exe are also identical binaries, and here is there VirusTotal results. According to the VirusTotal statistics it looks like about 50% of the Antivirus companies are detecting these binaries at this time. Running these binaries in my sandnet shows they are still using the herjek.exe and herjek.config file names and are located in the Windows directory (%windir%). Here is a list of the 815 peers I was able to extract: peers_list.txt.

Some of the more interesting findings in my tests this afternoon had to do with the spam the Storm Worm was trying to send out. All of the spam being sent out right now is using subdomain names for only a few unique domain names. The following are the unique domain names I was able to extract from my sandnet SMTP mail server:

• catsharp.com
• lowsmell.com
• picturewest.com
• posestory.com
• pressrose.com
• producemorning.com

Here are a few of the subdomain names I saw:

• aayxyi.catsharp.com
• acknl.pressrose.com
• acz.picturewest.com
• ad.producemorning.com
• adru.picturewest.com
• aegi.lowsmell.com
• aegirl.pressrose.com
• aemw.picturewest.com
• afpirl.picturewest.com

A full list of these subdomain names I was able to identify can be found here: smtp_sites subdomains. Obviously these subdomains are randomly generated and the Storm DNS servers have wildcards to accept requests for any subdomain for the few domain names I provided earlier. All of these domains and subdomains seem to point you to the Canadian Pharmacy site I spoke about in my last Storm Worm posting. This time though it looks like even the SPAM domains are using Fast Flux technology to rotate their IP addresses from a list of 20 IPs that are also rotated about every two minutes. This will definitely prevent IP blocks from being affective, so if you have any type of DNS blackholing or blacklists I would suggest you add these domains to those lists now. All of the SPAM was focused on Pharmaceuticals, which is fairly normal for the Storm Worm. Here is a list of the unique subject lines I saw in my sandnet: smtp_subjects.txt.

One last note of interest for everyone that emailed me about the Storm Binary Tracker being down. My outage was due to the Storm Worm having intermediate issues, but since these issues are over my Storm Binary Tracker is now back up and running. Happy Malware Hunting!