sudosecure.net

With all of the know Storm Worm domain names temporarily not resolving, due to the Storm Worm designated name servers not responding to A record requests, the authors have reverted back to spamming direct IP links to our mail boxes. The main Storm Worm domain name servers I am aware of are:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com
• ns.verynicebank.com
• ns2.verynicebank.com
• ns3.verynicebank.com
• ns4.verynicebank.com
• ns5.verynicebank.com
• ns6.verynicebank.com

I captured 1,014 spam messages in my lab this afternoon during a short run just to check on things. Of the 1,014 spam messages there were only 47 unique IP addresses and only 30 unique Subject lines. Here are two text files with the data: spam_ips.txt and spam_subjects.txt. As you can see the spam messages relate with the Storm Web server theme of a disaster in China and the 2008 Olympic Games in Beijing.

Another note of interest in my fake SMTP server logs is the User Agent for the spam messages seems to only ever be one of two different unique User Agents either "Thunderbird 2.0.0.6 (Windows/20070728)" or "Thunderbird 1.5.0.13 (Windows/20070809)". I can't believe I missed this, but after revisiting several of my old SMTP log files I have found this to be a common pattern for almost a month now. These both seem to be legitimate User Agents via my Google search results, but since they are old Thunderbird mail clients it may be worth looking into possibly writing a snort signature for something like this. I was thinking about testing the waters to see what I come up with in the next few days. If any of you run a mail server I would definitely be interested in hearing your opinion on how popular these User Agents are. Here is my full SMTP log for this afternoon's run: smtplogs.txt

To sum this short post up here is the usual Storm Peering IP list extracted from the configuration file: peers2.txt and my Virus Total results for the binary files: beijing.exe and msvupdater.exe.