Storm Worm Authors move to Military Theme
Posted by jeremy on July 8th, 2008
With the conclusion of the 4th of July weekend occurring, the Authors of the Storm Worm have changed their theme as well focusing on a “Military Theme” titled “Military News”. Here is a snapshot of the current Storm Worm web page:
As you can see the Storm Worm Authors are focusing in on the recent tensions heightening in the Middle East between the US and IRAN. With IRAN threatening to burn Tel Aviv in response to any US attacks on their Nuclear facilities, and the strains caused by the constant oil prices sky rocketing this is almost the perfect theme to infect many US citizens just looking for current news. If I had to guess I would say this theme will be one of the more successful campaigns just because of timing and a well thought out design. Even the banner looks extremely well thought out and designed. I really don't see any obvious mistakes with this theme. Here is a copy of the html source code for the page:
Taking a look into the source code reveals that clicking the well designed banner the user will download the binary named: “form.exe”. If the user clicks either the fake media player image or the “on the video” hyperlink they will download the binary named: “iran_occupation.exe”. Both of these binaries are the Storm Worm trojan just waiting to turn the users computer into a spamming maniac or a web proxy host severing other unsuspecting hosts with this web page. You will also notice the standard “ind.php” iframe src inclusion will be loaded on every visit behind the scenes. This file has been included in the Storm Worm's exploiting techniques for a few months now, and is the same file containing 9 well documented exploits we have grown do accustomed to seeing still heavily obfuscated with JavaScript.
Another major issue that will be driving the Antivirus Companies insane is that there was practically no detection of these new binaries. Here are my VirusTotal Results for the 2 binaries: form.exe Result: 3/33 (9.1%) and iran_occupation.exe Result: 3/33 (9.1%).
I may follow this posting with an update once I have had a chance to analysis these new binaries and run them in my lab. More to come I am sure.
UPDATE: Here is a list of new Storm Worm Domain names I discoverd right after posting this:
- statenewsworld.com
- morenewsonline.com
- dailydotnews.com
- dotdailynews.com
- newsworldnow.com
July 8th, 2008 at 9:25 pm
So, i just clicked through the link in my email, but quickly realized that i was an idiot and closed the window before the page even loaded. Did i put myself at risk?
Did anything automatically download??
thanks in advance
July 8th, 2008 at 10:10 pm
Just check your %WINDIR% directory for the following two files: msserv.exe or msserv.config. If you have them you are infected. It is possible if your system isn’t patched as there is a hidden iframe file “ind.php” with several exploits in it. Good luck and hope you were lucky.
–jeremy
July 11th, 2008 at 11:49 am
For those who like to look at binary disassembly, I’ve written an analysis of the shellcode used in the 9 browser exploits mentioned by Jeremy.
July 11th, 2008 at 2:59 pm
Thanks for the additional information, and good job.
–jeremy