sudosecure.net

Looks like the authors of the Storm Worm have decided to revisit the usage of exploits along with their normal Social Engineering techniques by including an iframe within their current web page. The current Storm Worm web page uses an earthquake message as it's attempt at social engineering unsuspecting users into downloading a video file, which of course is the Storm Worm. Here is the message the Storm authors are currently presenting to users:

A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either "Open" or "Run".

Combining the upcoming Olympic games starting in ~49 days and a natural disaster looks like it may be a new theme that numerous Malware authors will begin to utilize, as current events and disasters always seem to attract a large crowd. I know we started seeing the Olympic games themed Malware several months ago, but now with the Storm Worm authors using it and the start of the games approaching it is my opinion we will see a quadratic rise in the amount of Malware, Phishing sites, and Social Engineering attempts tailored to the unsuspecting followers of the games.

The actual look and feel of this new page is simple and light. Here is an image of the current page:

Video themes also seem to be the standard approach for the Storm Worm authors, so I really was not surprised to see another one being used.

The source code for this page is where we will find the interesting and new obfusticated scripts used to execute multiple exploits tailored to your browser. Here is a snapshot of the source code for the index page:

Obviously if you click the image you will download the "beijing.exe" binary file, which is the Storm Worm Trojan. The interesting piece of code on this page is the iframe for including the "ind.php" file. This "ind.php" file is nothing new to the Storm Worm, as this file name has been utilized in the past Storm Worm exploit attempts and doesn't seem to be going away anytime soon. The contents of the "ind.php" file has changed and is a little harder to deobfusticate. It took me three runs through the file to deobfusticate and analysis this file. The exploit attempts in the "ind.php" file do not appear to be anything new, so I won't bore you with it's details other than stating everyone should keep all of their software applications up to date and patched. The binary downloaded inside the "ind.php" file is titled: "load.php?bof".

I ran the "load.php?bof" and "beijing.exe" through VirusTotal and here are the results: "load.php?bof" and "beijing.exe". The identification results were less than 50% for both binaries, so I would highly suggest you continue to block the know active Storm Worm domain names with DNS blackholing, content filters, and/or proxy filters. Here is a list of the current malicious Storm Worm Domain names hosting the Trojan binary using the theme discussed in this post:

• grupogaleria.cn
• activeware.cn
• cadeaux-avenue.cn
• polkerdesign.cn
• biztech-co.cn
• ratedhot.cn
• pacoast.cn
• fconnorlaw.cn
• tellicolakerealty.cn

I also ran the "load.php?bof" binary in my lab to get a quick look at the spam being sent out by this run, as it seems to be changing topics a little faster than normal with the recent penny stock emails and then back to Canadian pharmaceuticals. I captured 684 spam emails during this short lab run. The oddity with this run was I only identified one domain name being utilized in the data section of the email: "usualprocess.com" and of course the Storm Worm spam was applying a random subdomain name to this domain name. Here is all of the subdomain names I saw during my short run: smtp_log. Another thing I noticed was the name servers for the "usualprocess.com" were not only rotating IP addresses as they always do using a fast flux approach, but the name server domain names were being rotated as well. Here is a list of the name server domain names I saw in my queries:

• ns0.tenshinohane.com
• ns0.forgottensin.com
• ns0.toptenslist.com
• ns0.torstenstv.com

Obviously this is another attempt to keep the links being sent out in emails available. Using passive DNS analysis I was able to identify the following domains as active domain names being severed up by the above name servers, and this list may possibly be a few more domain names worthy of blocking:

• boywhole.com
• metalmorning.com
• oftendollar.com
• describeenter.com
• industryexpect.com
• meanquiet.com
• yetresult.com

The last thing I noted was this binary installed itself in the %WinDir% as "msvupdater.exe" with a peer file in this same directory titled "msvupdater.config". Here is the 830 peer IP addresses I extracted: peers.txt.