Storm Worm DDOS is back
Posted by jeremy on July 7th, 2008
Looks like the Storm Worm has taken up DDOS ICMP attacks again, as tonight's lab run revealed the following IP addresses being attacked:
- 118.160.208.250 (118-160-208-250.dynamic.hinet.net)
- 67.195.37.166 (llf320044.crawl.yahoo.net)
- 76.98.44.10 (c-76-98-44-10.hsd1.pa.comcast.net)
- 207.206.148.78 (gump.lashback.com)
- 61.229.224.181 (61-229-224-181.dynamic.hinet.net)
- 67.195.37.190 (llf320059.crawl.yahoo.net)
- 201.223.161.134 (134-161-223-201.adsl.terra.cl)
The interesting characteristic I observed during these attacks were that the victim IP addresses were being rotated through at 30 minute intervals. What I mean by this is I watched the Storm Worm bot try to send 30 minutes of ICMP echo-requests to the first IP on the list, then it moved on to the next IP on the list for 30 more minutes until I finally turned it off to finalize the lab run and start looking at data captured. This is the first time I have ever seen a round robin style DDOS attack being carried out. With the return of DDOS attacks by the Storm Worm I would definitely say this botnet just returned to the dangerous state and jumped back on many security professionals radar. I have read just recently several posting dismissing the danger of the Storm Worm, which I would never recommend doing.
I also captured the spam using my faux smtp server and identified the following new spam domains inside the message bodies:
- bestphysiciangood.eu
- childrenseparate.com
- doctorbutgood.eu
- doctorfeelgoodphd.eu
- doctorgoodsite.eu
- doctorleasegood.eu
- greatmedicgood.eu
- happenhalf.com
- lottube.com
- maysection.com
- medicgooddirect.eu
- medicgoodguide.eu
- needcertain.com
- nowcarry.com
- prepaream.com
- surgeongood.eu
- thoughgrand.com
- valleyearth.com
- yellowyear.com
All of these domains are the home of a pharmaceutical company named "Pharmacy Express" selling all types of prescription drugs. I covered this pharmaceutical company in my last post, so I won't bore you with the details again. Here is a list of the 584 unique subject lines in the spam emails I captured: Storm Uniq Subject Lines.
In closing here is tonight's VirusTotal results for: msserv.exe Result: 19/33 (57.58%), and here is tonights Storm Peers list extracted from the msserv.config file: Peers.txt.
As a side note I have the full pcap file for this DDOS attempt. If you happen to be investigating these attacks and your IP is listed above or you have a ligament reason to see these captures feel free to contact me. I will not distribute these to just anyone, so think before you ask.
October 23rd, 2008 at 11:24 am
Our site just got hammered *from* an IP on your list 207.206.148.78 (gump.lashback.com). Is there any there any tie between their security vulnerablity and these events?
October 23rd, 2008 at 1:37 pm
I don’t think so as these were sites that were being attacked by the storm worm. Most of the sites Storm attacked were web crawlers that spawned the attack by being to aggressive at indexing the storm web pages, so I would check your logs to see if maybe gump.lashback.com was really a crawler that just hit your site a little to hard or got hung up on your site for some reason.