sudosecure.net

This isn't the first time the authors of the Storm Worm Trojan used a rootkit to hide it's presence on user's computers, and frankly I was really shocked when they had stopped including this functionality several months ago. So low and behold today when I decided I would capture a little spam from the Storm Worm I was greeted with it not wanting to install and execute in sandboxie, which is a sandbox application that allows me to detect file system changes and other things fairly easily. I immediately checked the sandboxie file viewer which revealed two files being created: "glok+1cbe-49e9.sys" and "glok+serv.config" in the %WIN% directory. Nothing really new in creating the Storm binary and peer list files in the %WIN% directory, as this has always been the case for as long as I have been tracking the Storm Worm.

Since I could not get the Storm Worm to execute in sandboxie, I went ahead and let it infect my VM host without the protection mechanisms provided by sandboxie. Interesting enough I immediately saw network traffic going to my faux time server from the infected VM host, which is normal as well since the Storm Worm Trojan changes your NTP server to: time.windows.com to ensure it's hosts are synced. The only reason my infected host hit my faux NTP server is I use a faux DNS script as well to ensure all DNS queries resolve to my all-in-one faux server with multiple services being available to facilitate my Malware investigations safely. My infection was definitely confirmed when I started seeing the extremely aggressive amount of UDP packets the Storm Worm Trojan generates using the Overnet protocol to talk with it's peers.

My next step was to check the process explorer to see if I had any new processes running. This is when I began to expect a rootkit was involved, as I had no new processes executing according to the windows process explorer, tasklist, pstasklist, or the sysinternals process explorer. Next check was to look in the %WIN% directory to see if the two files were visible, and of course they were not. I tried using the dir command, and also looking at them through windows explorer. Now to confirm this was a rootkit I ran a few rootkit detection tools.

The first tool was RootkitRevealer, which had no problems identifying the rootkit files being hidden from the Windows API calls. Here is a screenshot of my results:

As the screenshot shows the Storm Worm authors have definitely reinitiated the rootkit functionality. Next I tried F-Secure's Blacklight rootkit tool, which identified the two Storm Worm Trojan Files as well.

I should also note that IceSword, and RKDetector2 were also successful at detecting the rootkit installed by the Storm Worm. Now that I have identified that the Storm Worm is actually installing a rootkit and it wasn't some sort of mistake on my part a more in depth analysis will need to be performed on the binary. That of course I will leave for another day. I should also note that the F-Secure Blacklight rootkit eliminator was successful at removing the Storm Worm's rootkit, which is good news if your a user or system administrator looking to get rid of this. Just remember to go back into the %WIN% directory after renaming the files with blacklight to delete the binary and configuration text file forever, as you don't want someone to come behind you and reinfect the computer. One last note about the binary is the Virus Total Results were 15/33 (45.46%), which is about average for detecting the Storm Worm Binary by the major AV companies.

Since this run was to take a peek at what the Storm Worm spam was doing here are the domain names I captured during this run:

• advancedcaremedical.eu
• americanmedicalguide.eu
• costappreciation.com
• dadreciprocity.com
• medicalhealthdeath.eu
• medicaljobsgroup.eu
• medicalworldinc.eu
• medicalworldlink.eu
• spiritualitycondition.com
• themedicalmarket.eu
• toldthere.com
• treefinal.com
• wellnesssurgical.eu
• womenmedicalcenter.eu

I couldn't get any of these pages to load when I tried tonight, but looking at the actual spam messages and subject lines I would assume these are Canadian Pharmaceutical websites, which makes up the majority of spam generated by the Storm Worm. Here are a few subject lines I found in the spam messages:

• Subject: 10 reasons to take enhancing medicaments.
• Subject: A better way to give up smoking.
• Subject: Ancient greeks used this to treat their male problems.
• Subject: Ancient greeks used this to treat their male problems.
• Subject: Bring more joy to your life, get a bluepill!
• Subject: GLobal potence ensurer!
• Subject: Have perfect health in an imperfect world.
• Subject: Join the biggest community of man that cured their male intimate problems
• Subject: No need to visit a doctor again to get medications you need.
• Subject: VPXL from Canadian Chemist. Your ultimate enhancing solution.
• Subject: Unbelievably healthy living, come to Canadian Chemists' site to claim it

Here is the complete list of unique subject lines I captured this afternoon: subjects_spam.txt.

With the return of the Storm Worm Rootkit functionality, the stagnated Military Theme, and over half of the current Storm Worm domain names being shutdown I would anticipate a new theme/campaign to be arriving in our spam folders within the coming days. This new run could possibly be worse than others with the added functionality of the rootkit and users dismissing a Storm Worm install, because they can not readily see the infection or process running. Good thing is, if your reading this you probably know better by now.

As always if you have any questions or comments in regards to my posting feel free to send me an email or post a comment. I am always glad to hear from you good or bad.