sudosecure.net

I ran the Storm Worm in my lab again tonight with no real surprising results to be found. It seems as though the Storm Worm authors are having issues keeping their Military theme going with Registrars taken action against their domain names. I saw no spam leaving the Storm Worm tonight pertaining to the domains related to their Web Servers hosting out malicious code and Storm Worm binaries. This is good news, but I believe this is just a short lived break as the Authors of the Storm Worm ramp up for their next campaign with new domain names and possibly modified theme. My guess is within the next few days or at the latest within a week we will see something new from them. The following domains seem to still be actively pointing towards Storm Worm web servers:

• cadeaux-avenue.cn (Registrar: BIZCN.COM, INC.)
• polkerdesign.cn (Registrar: BIZCN.COM, INC.)
• lovelifecash.com (Registrar: BIZCN.COM, INC.)
• bphostdomains.com (Registrar: BIZCN.COM, INC.)
• grupogaleria.cn (Registrar: BIZCN.COM, INC.)
• nationwide2u.cn (Registrar: BIZCN.COM, INC.)
• activeware.cn (Registrar: BIZCN.COM, INC.)

So as you can see "Registrar: BIZCN.COM, INC." seems to be very slow at reacting to requests to take action on the above domains. I can only hope their processes speed up and they too take action soon. Here are the current active Name Servers being used by the above domains:

• ns.bphostdomains.com
• ns2.bphostdomains.com
• ns3.bphostdomains.com
• ns4.bphostdomains.com
• ns5.bphostdomains.com
• ns6.bphostdomains.com
• ns2.verynicebank.com
• ns1.lollypopycandy.com
• ns2.lollypopycandy.com
• ns1.verynicebank.com
• ns3.likethisone1.com
• ns4.likethisone1.com

If you have any type of DNS black holing or content filtering capabilities I would recommend leaving these domains blocked/filtered.

All of the spam I captured in my sandnet tonight was Pharmaceutical related pointing to the online store "Pharmacy Express" which is well documented on the Spam Trackers spamwiki: Pharmacy Express Info. I captured a total of 6,581 spam messages during my run add was able to parse out the following domain names being used within the spam messages body:

• advancedcaremedical.eu (Registrar: OnlineNIC Inc)
• americanmedicalguide.eu (Registrar: OnlineNIC Inc)
• medicalhealthdeath.eu (Registrar: OnlineNIC Inc)
• medicaljobsgroup.eu (Registrar: OnlineNIC Inc)
• medicalworldinc.eu (Registrar: OnlineNIC Inc)
• medicalworldlink.eu (Registrar: OnlineNIC Inc)
• themedicalmarket.eu (Registrar: OnlineNIC Inc)
• wellnesssurgical.eu (Registrar: OnlineNIC Inc)
• womenmedicalcenter.eu (Registrar: OnlineNIC Inc)

Out of the 6,581 spam messages I captured I identified 662 unique Subject lines. You can see all of these subject lines here: Storm Spam Subjects.txt. Here are a few extracts just in case your not interested in all 662:

• Subject: Bring more fun to your xxxlife!
• Subject: Do you like wild nights?
• Subject: Dont let sickness spoil your vacation.
• Subject: Experience more pleasure from perfect intimate living.
• Subject: Get back to slim shape again.
• Subject: If good health is what you really need, then its time to visit canadian chemists.
• Subject: Leading supplier of Canadian chemists in now available for you.
• Subject: Online Canadian Chemist - we care about Your Health!
• Subject: Some helpful information on weight losing products.
• Subject: The largest network of i-chemists.
• Subject: Want to act like that Ppornstar from the movie u watched yesterday?
• Subject: quicker,safer,cheaper online chemiststore

These seem to be the standard type of subject lines we have grown accustom to in our spam folders brought to you directly by the Storm Worm authors and our online Canadian pharmacists. My full spam log can be viewed here: smtpspamlog.txt.

The "I Kill Spammers" blog has posted a rant on these subject lines and messages here: "Storm of Stupidity". To me it is a humorous read, and I have to give the blog props for linking to my good buddies over at MalwareDomainList.com. If you have not visited MalwareDomainList.com you should go give it a once over, as it has a large collection of searchable Malware Domain Names and Malware server indexes. This site isn't for everyone, but if your a Security Researcher or a Security Hobbyist there is a wealth of information available to you. Well I believe I have done enough promoting of other sites tonight, as always if you have any questions or comments feel free to contact me.