sudosecure.net

Looks like the authors couldn't resist the opportunity to entice United State citizens with a "Colorful Independence Day" theme. The good news is there are only 5 of the 24 domain names I reported the other day still active. Here is a list of the current active Storm Worm domain names:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

The new "Colorful Independence Day" theme is a little different than past campaigns, as it only hosts one binary file and the ind.php exploit scripts. Usually the Storm Worm authors maintain two differently named binaries available for download through a hyperlink and by clicking an image file. This time the authors are only hosting a binary titled "fireworks.exe", which is downloaded by clicking a colorful image of a fireworks show. Here is a snapshot of the current site:

The normal ind.php file is a hidden iframe inclusion with the normal 9 exploits waiting to serve up a fresh install of the Storm Worm Trojan turning your computer into a spamming maniac. VirusTotal results shows that many of the Antivirus companies are still struggling to keep up and identify the constantly changing/morphing Storm Worm. With only ~52% (17/33) identifying the fireworks.exe binary as being malicious of which 2 of the 17 just state the file is suspicious. I wouldn't count the suspicious file signatures as a success, so in my opinion only 15/33 really identified the binary. Here is a link to the results page for VirusTotal.

With this being the evening of the beginning of my long weekend vacation I am going to cut this analysis short and leave you with a "Happy 4th of July" and be safe.