sudosecure.net

Running the Storm Worm tonight in my lab uncovered some new Storm Domain names to go along with the new "FBI vs Facebook" theme. Here is a list of these new domain names:

• BestValueNews.com
• CompanyNewsNetwork.com
• FedNewsWorld.com
• GoodNewsGames.com
• SmartNewsRadio.com
• StockLowNews.com
• ToplessDailyNews.com
• ToplessNewsRadio.com
• WapDailyNews.com

I would recommend going ahead and adding these domains to any blacklists or content filters you may have to keep your users from falling victim to the Storm Worm social engineering attempts. These domains were all extracted from Storm Worm generated spam. The following 41 unique subject lines pertaining to the new "FBI vs Facebook" theme were seen during this short lab run:

• F.B.I. Facebook Records
• F.B.I. Looks Into Facebook
• F.B.I. Watching Hezbollah in Facebook
• F.B.I. Watching Possible Terrorists on Facebook
• F.B.I. agents patrol Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• F.B.I. bypasses Facebook to nail you
• F.B.I. can watch our conversation through Facebook
• F.B.I. may strike Facebook
• F.B.I. on the Hunt for Facebook users
• F.B.I. tries to fight Facebook
• F.B.I. wants instant access to Facebook
• F.B.I. watching us
• F.B.I. watching you
• FBI Facebook Crime Survey
• FBI Facebook Records
• FBI Looks Into Facebook
• FBI Watching Hezbollah in Facebook
• FBI Watching Possible Terrorists on Facebook
• FBI agents patrol Facebook
• FBI are spying on your Facebook profiles
• FBI busts alleged Facebook
• FBI bypasses Facebook to nail you
• FBI can watch our conversation through Facebook
• FBI may strike Facebook
• FBI on the Hunt for Facebook users
• FBI tries to fight Facebook
• FBI wants instant access to Facebook
• FBI watching us
• FBI watching you
• Facebook Coming Under F.B.I. Scrutiny
• Facebook Coming Under FBI Scrutiny
• Facebook's F.B.I. ties
• Facebook's FBI ties
• Get Facebook's F.B.I. Files
• Get Facebook's FBI Files
• The F.B.I. has a new way of tracking Facebook
• The F.B.I.'s plan to "profile" Facebook
• The FBI has a new way of tracking Facebook
• The FBI's plan to "profile" Facebook

The message content for the above subjects are very simple and short. Here are a few of the unique message bodies I extracted from my faux smtp server logs: (NOTE: hxxp://stormdomain_name is my substitution for one of the Real Storm Worm domain names listed at the beginning of this post)

• F.B.I. Watching Hezbollah in Facebook hxxp://stormdomain_name
• F.B.I. on the Hunt for Facebook users hxxp://stormdomain_name
• FBI Looks Into Facebook hxxp://stormdomain_name
• FBI may strike Facebook hxxp://stormdomain_name
• FBI watching you hxxp://stormdomain_name
• Facebook's FBI ties hxxp://stormdomain_name
• The F.B.I.'s plan to "profile" Facebook hxxp://stormdomain_name

You can look at all 41 unique message content here: fbi_messages.txt.

This wasn't the only spam being pushed out of the Storm botnet, as I also caught the following 21 Domain Names being used to push pharmaceuticals from the Canadian Pharmacy:

• abilityhear.com
• allhipguide.eu
• besthiptop.eu
• brickautoship.eu
• compassionvery.com
• definitionwonder.com
• greathipx.eu
• hilllocate.com
• hipsurgeryonline.eu
• hiptoguide.eu
• hipworldhop.eu
• majorwrite.com
• rapsharp.eu
• realizationthere.com
• reciprocityby.com
• storeever.com
• trendyslick.eu
• werecourage.com
• wisdomby.com

Here are a few of the unique subject lines I extracted from the spam messages associated with the above domain names:

• 10 reasons to take enhancing medicaments.
• A small thing to make your woman happy.
• Agree to be sick! Noway!
• Bad health report? Consult us.
• Better living through Canadian chemists.
• Canadian doctors we trust.
• Canadina chemists help you save 90% on medical bills.
• Docs approve and recommend online Canadian Chemist.
• Excellent effect on your condition.
• In Canadian Chemist we trust.
• New products everyday, online chemists where you can find a good source foryour needs.
• Over 20000 products for health and beauty online.
• Summer is on the way, do not forget of all requred-tabs.
• The widest e-assrtment of medicaments.

All 560 unique subject lines can be seen here: spam_subjects.txt. I would recommend updating any of your spam filters to filter the above domains and if possible the above subject lines.

Another note of interest in regards to the Storm Botnet is it seems to be actively performing ICMP DDoS attacks again. During my lab run I saw the following 4 IP addresses being attacked:

• 62.189.182.xxx
• 74.192.224.xxx
• 79.41.125.xxx
• 201.214.13.xxx

These attacks seemed to be very short lived lasting ~20 minutes in comparison to some of the attacks that would last for hours and sometimes days from the Storm Botnet. My guess is these attacks were in retaliation to probes on the botnet or web crawlers indexing the botnet to aggressively. I have been on the receiving end of these attacks in the past. What I found to be the cause was being to aggressive at trying to probe the botnet or retrieve the binary files being hosted by the web proxies. So a word of warning/advice to all researchers and security analysts "be gentle" when dealing with this botnet or you too could come under attack.