Storm Worm spam modifications contain email addresses
Posted by jeremy on June 25th, 2008
Another lab run of the Storm Worm last night I captured 7,341 emails of which there were 31 unique Subject lines, 5 distinct email addresses in select message bodies, and 105 unique IP address direct links. The majority of last nights spam lab run contained the current theme of a disaster in China affecting the Olympic games in Beijing . Nothing new there, but I did find 1,144 messages which contained the following style of message:
Hello, my friend.
Do you want to buy any stuff: any kind of pills, oem software, cool porn?
Just mail me back, i'll find the best offer for you.My Email: gpdude22@yahoo.com
Of these 1,144 messages containing this unique message I was able to extract 5 diffrent individual email addresses:
- cstygstra@gmail.com
- gpdude22@yahoo.com
- infrared35@gmail.com
- jim@tegelaar.com
- wagz_is_god@yahoo.com
I Googled all of these email addresses to see if possibly the Storm Worm Authors were raining some spam to these targeted emails, as this was my first thought, but found that these email addresses returned no results except for wagz_is_god@yahoo.com. I found a post from a user calling himself "wagzisgod" from 2004 about maintaining a traders list on spawn.com. The Google cached page can be seen here: Spawn.com Message Board post. So I don't think this a malicious attack against the email addresses listed above, but more likely a way of trying to identify active email addresses maintained in their current harvest lists. I sent an email using a newly created account and have yet to receive any response regarding my staged request for more information regarding the availability of the products in the spam message. I really didn't expect to receive a response, but this was more of an attempt to monitor spam generated from the Storm Worm, as this newly created email has only been used once making it perfect for tracking the Storm Spam if it works the way I hope it does. Only time will tell.
Here are the logs from last nights spam run in my lab for your own analysis: Full SMTP log, Unique IPs for Storm Web Servers in Spam Log, and Storm P2P Peer list.