sudosecure.net

Looks like the authors of the Storm Worm are at it again with the "love theme", but this time with lots of love. I have identified 24 active Storm Worm web server domain names serving up a new storm worm binary with very little detection by the Antivirus companies according to my VirusTotal results (8/33 24% detection rate). My current list of active domain names are:

• activeware.cn
• bestlovelyric.com
• gonelovelife.com
• greatadore.com
• grupogaleria.cn
• knowholove.com
• likethisone1.com
• lollypopycandy.com
• loveisknowlege.com
• lovekingonline.com
• lovemarkonline.com
• loveoursite.com
• makeloveforever.com
• makingadore.com
• makingloveworld.com
• musiconelove.com
• nationwide2u.cn
• shelovehimtoo.com
• superlovelyric.com
• theplaylove.com
• wantcherish.com
• whoisknowlove.com
• wholovedirect.com
• wholoveguide.com

Most of these were identified through passive DNS techniques, and using my spam lab setup. Looking at the spam I captured in my lab for the newest Storm run, I was able to identify 64 unique Subject lines from 3,743 spam email messages. All 64 unique Subject lines related to the theme of love, which if I had to guess must pay high dividends for the Storm authors as they have returned to this theme over and over again. A few sample subject lines are:

• All I need is You
• Always on my mind
• Can't forget You
• Can't stay away from you
• Crazy in love
• Crazy in love with you
• Deep in my heart
• Deeply in love with you
• Dreaming 'bout you
• Everything for you

All 64 unique subject lines can be seen here: spam_subject.txt. The actual spam message contained 65 unique messages with a simple one line message containing hyperlinks to one of the 24 active Storm domains listed above. Following any of these hyperlinks leads to the newest version of the Storm Worm web server page, which maintains a Egreetings/Ecard design and the love theme, but with a twist. The web page title is:

Free I Love You Ecards, I Love You Greeting Cards, I Love You Greetings, Cards, ecards, egreetings

The twist is the Storm authors have added a flashy banner at the top of the page stating you are the 10,000 visitor and that you have won a prize. To claim the prize all you have to do is click through the fake banner advertisement. Here is a snapshot of the current Storm worm web page:

Examining the source code there are 2 unique binary names available for download: "winner.exe" and "mylove.exe". By clicking the image stating your the 10,000th visitor the winner.exe binary is downloaded. Clicking the hyperlink, "click here", the "mylove.exe" binary is downloaded. The storm worm authors are also actively maintaining a malicious script titled "ind.php" containing 9 individual exploits hidden from view with an iframe redirection and littered with heavy Javascript obfustication to evade detection and analysis.

It is my opinion that this particular version/run of the Storm Worm appears to be the largest in scale this year. I do not remember seeing this many active domain names being used in any of the past runs I have analyzed. I also noticed the Fast Flux network has modified all of the Storm Worm domain name A records TTL value to 60 seconds, instead of the normal 0 seconds. This means the Fast Flux DNS servers will rotate the A records every 60 seconds instead of after every individual query, which may be an attempt to throw off some techniques for analyzing and identifying Fast Flux domain names. Another reason I believe this is one of the largest scaled runs this year is my Storm Web server DNS tracking scripts are averaging ~3,200 unique IP addresses a day instead of last months daily average of 376 a day. Obviously this is a large increase, but it could be a misleading number, as my tracking scripts have more domain names to work with now than they have ever had in the past due to the fact there are so many active domain names right now.