sudosecure.net

Looks like the authors of the Storm Worm are up to no good again, and this Aprils Fools day may cause users a prank that will keep system administrators working overtime. This time I believe there is only one image being display unlike the Valentine releases. The image is of a Goofy looking Jester with a strategically placed Post It note with the message "Kick Me Hard" on his butt. Take a look for yourself, as it is a fairly creative image:

New web page is hosting 3 binary files kickme.exe, foolsday.exe, and funny.exe. Nothing new here in the source code:

Using a meta tag to cause the funny.exe to be automatically downloaded after 5 seconds is nothing new and we saw this with the last version of the Storm Worm. Even though all three binaries are titled different I didn't find any differences with there characteristics. I haven't ran this version in my sandnet yet for a full anaysis, but for a quick analysis I submitted this to the ThreatExperts and the Anubis sandnets. They are both really quick and dirty ways to get an overview for suspicious binaries, and I tend to use them quite a bit. Here is a link to both of them: Anubis Storm Worm Results and ThreatExperts Storm Worm Results . The Anubis results this time seem to give us a better picture to the nastiness the Storm Worm has to offer. It extracts and installs a binary titled "aromis.exe" and uses a configuration file titled "aromis.config" c:\windows directory to join the bot net. I am not seeing any driver modifications as we have seen in the past, but with netsh being used I would guess a default rule is being added to the windows firewall to allow the bot out. Since this version of the Malware isn't hiding itself with a root kit it should be fairly easy to identify and remove from infected computers. With that being said it doesn't look like many of the major Antivirus companies are on top of it yet Virustotal Storm Worm Results, so until they are all up to speed I would suggest using the Emerging Threats Snort rules to get an idea on who may be infected with SIDS: 200877, 200878, and 200879. I really dislike signatures that match individual binary names, but in this case I would make an exemption. I have had some success in the past with SIDS: 2007701, and 2007702, so a good indication would be the generic binary name match followed by these two older signatures matching.

Looks like this new campaign started around 10:48 Central Standard Time today, according to my Storm Binary Tracker as this was the first time it was able to retrieve the kickme.exe. With that note I have almost reached the 2,000 mark for binaries harvested, Yipie!!! By the looks of my Spam filters for the email servers I have eyes on I would say I may be able to reach way beyond the 2,000 mark and I must ask the question will anyone ever put an end to this Bot Net, as it has ran free for over a year now.