sudosecure.net

This morning I figured I would check on the Storm Worm since it's current theme is the "Colorful Independence Day" theme and today is the day after the 4th of July. Looks like the Storm Worm web servers are still serving up the fireworks.exe binary and the image file is still the same, so no changes there.

Where I did find changes flowing was in the Storm Worm spam messages going out. It looks like the spam messages are rotating themes about every 250 to 350 messages between a pharmaceutical spam theme and new Storm Worm domain names. The new Storm Domain names I found in the spam messages are as follows:

• bellestarfireworks.com
• dayfireworkssite.com
• greatfireworkslaws.com
• thefireworksjuly.com
• wholefireworksonline.com
• worldbestfireworks.com
• yourfireworks.com
• yourfireworksstore.com

The following domains are still active as well in serving up Storm Worm binaries:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

I verified all of these domain names with some Passive DNS discovery techniques and identified a few new Storm Domain Name servers spitting out A records. Looks like there are a total of 71 active Storm Worm DNS servers answering lookup requests. Here is a full list of all 71: Storm NS Servers List.

The pharmaceutical spam site has been modified as well. It looks like they have changed their name from "Canadian Pharmaceuticals" to "Pharmacy Express". This new site appears to be very similar in appearance to the old Canadian Pharmaceuticals site. Here is a snapshot of the Pharmacy Express web page header:

The spammed domain names I grabbed during this spam run were as follows:

• fairneck.com
• girlsultry.com
• ihotair.com
• pharmacydepotonline.com
• prohotsite.com
• redhotcapital.com
• seatdistant.com
• sexyhotworld.com
• squarespell.com
• starfoxguide.com
• teahotspot.com
• theshyfo.com

These domains are also Fast Flux networks rotating 19 different A records at 120 second intervals, which makes it a little different from the standard Storm Web server Fast Flux network. The Storm Web server Fast Flux DNS servers rotate IP addresses by serving a new individual A record every 60 seconds. It is my opinion these TTL changes in A record expirations is a simplistic attempt to avoid discovery from several of the Fast Flux domain discovery scripts out there. Most of the basic Fast Flux discovery scripts look for changes in IP addresses within a 60 second interval, and the Authors of the Storm Worm Fast Flux network avoid this discovery by rotating outside this interval. If you are using these types of discovery techniques or scripts modify them to query at a longer time interval such as 360 seconds to get better results. The problem with this modification is it is pron to false positives.

The subject line and message content of these spam messages seem to be right in line with all of the other Storm spam messages of the past. The message body is just a short line of text ending with a hyperlink to either the Storm Web server domain or the Pharmacy Express website. Here is a list of the unique Subject lines I extracted from my short lab run this morning: Storm Spam Subject Lines.

The Storm Worm binary and configuration file that is loaded into the %WINDIR% has also changed names. The new binary is named "msserv.exe" and it's corresponding configuration file holding a list of p2p peers is now named "msserv.config". I ran the msserv.exe through VirusTotal, VT for msserv.exe, with the normal mid ranged results for identification of 18/33 (54.55%). I also extracted a peers list from the msserv.config file with no real change in the number of peers around me: 871 peers.txt.