sudosecure.net

Tonights Storm Worm spam was made up of the same old Canadian Pharmaceutical material they were pushing out before the Angstrom Microsystems unauthorized stock spam campaign. The unique domains I extracted from the spam messages were:

• describeenter.com
• industryexpect.com
• meanquiet.com
• oftendollar.com
• yetresult.com

All of these domains are fast flux domains resolving to 20 different IP addresses per query that seem to rotate on a set schedule of every 2 minutes. There is no telling how many total IP addresses, but I am sure it is a lot. If you have DNS blackholing capabilities, content filters, and/or spam filters I would update them now with these domain names.

Another note of interest regarding this spam is wild card sub domains are being used in all of the spam messages I captured. Here is a list of the unique sub domains: sub domains list. This Canadian Pharmacy website does not seem to change much in it's presentation and the following logo seems to be constant.

The only new option I identified in looking at this site during this analysis was the option to submit your Instant Messenger information when trying to contact them. Just another way to collect user data in which they can use as a spam mechanism is my guess. Here is what the current form looks like:

This may not be a new, but it is the first time I noticed it. Another note of interest is they seem to take a wide variety of payment types as seen here.

As always if you have any questions or comments feel free to contact me.