Storm spam leads to money laundering and more, oh my!
Posted by jeremy on August 16th, 2008
Sorry for the lack of coverage this month, as I have been extremely busy catching up with everything after going to Blackhat and Defcon. Anyways I spent a few hours watching the Storm Worm in my lab last night and this morning and I have identified a few changes since the last time I looked at it. First off the Storm Worm is not using it's rootkit functionality anymore and the binary installed in the %WINDIR% is now named "neos.exe" with it's peer hash file being named "crock+mock.config". The p2p peer hash file contained 857 peers which is right in line with most of the samples I have taken this year. Here is the decoded IP and Port list of those peers found in my sample: peers.txt.
The Storm domain names I have that are still active or more accurately maintain a domain status of "ok":
- nationwide2u.cn
- worldpostcardart.com
- superlettercard.com
- yourlettercard.com
- freepostcardonline.com
- digitalaudiopostcard.com
- lettercardadvertising.com
- bestlettercard.com
- audiopostcardmail.com
- supergreetingcard.com
- oldpostcardshop.com
None of these domains are resolving right now since their name servers are not answering A record requests at this time. The name servers I could identify are:
- ns.brprbgok6.com 62.33.224.26
- ns2.brprbgok6.com 124.121.82.50
- ns3.brprbgok6.com 201.212.95.89
- ns4.brprbgok6.com 89.109.28.87
- ns5.brprbgok6.com 193.238.128.177
- ns6.brprbgok6.com 74.129.81.83
Interesting enough the brprbgok6.com domain is in a "clienthold" status, so action has been taken against this domain, but that wouldn't stop the above name servers from answering requests. Another interesting finding is that these name servers have a ttl of 172800, so they are not following the normal double fast flux structure in which the storm worm is famous for. This is not abnormal for the Storm Worm either though as this type of behavior seems to occur at the end of each campaign and can be thought of as a final stage in the limitless transformations of themes that occur. Once the name servers stop participating in the fast flux design you can almost bet on seeing a new theme within a few days. These new themes also seem to start either on Monday or Tuesday mornings, so we will just have to wait and see if this holds true one more time.
I also found that all of the domains listed at the top of this posting except for the older "nationwide2u.cn" were all registered on the same day using the same registrar and registrant information. Here is a copy of the whois record for one of the domains:
Registrar: RegTime.net Limited
Creation date: 2008-08-03
Expiration date: 2009-08-02Registrant:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Administrative Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Technical Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Billing Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
The registrar is Regtime.net Limited a Russian ICANN accredited registrar that has been in business since 2001. This is also the first time I have seen the Storm authors use Regtime.net Limited for registering their domains. Hopefully Regtime.net will take action against these domain names soon as the "love/postcard" theme seems to be the fall back theme for Storm when new themes begin to lose effectiveness.
The Storm spam seems to be right inline with the norm with one small exception. This exception is a phishing email that is going out concerning money laundering. Here is a copy of the email message I captured:
Subject: JOB $1800/WEEK - CANADIANS WANTED!
Date: Fri, 15 Aug 2008 16:27:29 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="Windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499We are looking for canadians who would like to work from home
in an administrative support function for businesses.
Many of our clients are small businesses and executives
who are busy and on the go.Administrative Assistants can work full or part time.
PART TIME ASSISTANTS must work a minimum of 10 hours per week.Salary varies between $5,000 to $10,000 per month!
If interested,
get back to me athxxp://www.vik-budget.com
thank you
.
QUIT
Following the link in the email message will bring you to a phpBB forum posting dated Thu Dec 02, 2004 8:30 pm with a subject line of "Getting Started!" by the moderator of the forum going by alias "Supplier" with a total of 34 posts on this message board. This all seemed really odd to me as I have suggested in the past that individuals were paying for spam, but why would someone pay for spam on such an old outdated posting? Interesting enough the vik-budget.com domain seems to be utilizing a fast flux design as well rotating out A records every 180 seconds serving up 17 individual IP addresses at a time. Here is a sample dig output just to clarify what I am trying to say:
;; QUESTION SECTION:
;vik-budget.com. IN A;; ANSWER SECTION:
vik-budget.com. 180 IN A 86.104.87.45
vik-budget.com. 180 IN A 89.33.209.220
vik-budget.com. 180 IN A 93.81.55.7
vik-budget.com. 180 IN A 89.112.76.91
vik-budget.com. 180 IN A 89.47.118.38
vik-budget.com. 180 IN A 91.124.247.62
vik-budget.com. 180 IN A 93.80.234.159
vik-budget.com. 180 IN A 82.179.235.165
vik-budget.com. 180 IN A 79.112.24.125
vik-budget.com. 180 IN A 190.20.206.241
vik-budget.com. 180 IN A 92.100.98.229
vik-budget.com. 180 IN A 89.45.24.174
vik-budget.com. 180 IN A 92.100.21.65
vik-budget.com. 180 IN A 89.178.231.167
vik-budget.com. 180 IN A 81.181.112.38
vik-budget.com. 180 IN A 69.144.198.226
I went ahead and searched all of these IP addresses against ~180,000 archived IP addresses I have identified in the last six months that may have been associated with the Storm worm at some point in the past. The only one that returned a match against my database was "69.144.198.226", so I don't think this phishing phpBB site is operating on the Storm fast flux network, but I could be wrong. The name servers are also different for this phishing domain, so again I don't think it is operating on the Storm fast flux network. Here is a list of the name servers for vik-budget.com:
- NS1.VIPSAM.COM
- NS2.VIPSAM.COM
- NS3.VIPSAM.COM
- NS4.VIPSAM.COM
One really cool discovery I had concerning these name servers is they seem to be riding a fast flux network using a ttl of 180 seconds at first, but when that initial ttl expires a new ttl of 172800 is seen and the A record changes to a new IP address. Very odd stuff here, so I dug into the VIPSAM.COM domain and found it no longer resolves, but was used back in July to point to another online pharmaceutical site titled: "Online Pharmacy". This seems to be another very active and large pharmaceutical spam participant with 70 other domain names currently resolving to this host and at least 63 other hosts sharing it's name servers. Here is a screen shot of this pharmaceutical company website to give you an idea of what it currently looks like:
As you can tell this was all very odd to me, and was actually the first time I was lead to an online pharmaceutical spam site from a money laundering phishing site. I can't say the two are owned and operated by the same person or organization, but only linked by name servers and shared hosting. I will let you be the judge of that.
Now getting back to the vik-budget.com phishing forum site. Here is a screen capture of the forum post that is presented by following the link in the Storm spam message:
So as you can see it looks like a money laundering scheme in which the poster claims this to be good and legal way of making money. I am not a layer or agent of the law, but this just doesn't seem like it would be a good and legal way of making money. So I did a little digging and found this exact forum structure to include identical forum content could be found on other domains such as hdd-manager.com, WCA-Manager.com, xrs-capital.com, and can-budget.com. With all of the content being identical I would venture to say this is most likely a phpBB template in which the phisher simply changes the domain name and it modifies everything inside the forum to reflect this change such as his or her email address. Looking into the whois records for these sites all 4 domains hdd-manager.com, wca-manager.com, xrs-capital.com, and can-budget.com were created on March 11, 2008 with matching information registrant information. Here is an the whois record for wca-manager.com:
Domain Name.......... WCA-Manager.com
Creation Date........ 2008-03-11 10:22:01
Registration Date.... 2008-03-11 10:22:01
Expiry Date.......... 2009-03-11 10:22:01
Organisation Name.... xiaowen
Organisation Address. No.12 chang'an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CNAdmin Name........... gr wen
Admin Address........ No.12 chang'an road
Admin Address........
Admin Address........ Beijing
Admin Address........ 100001
Admin Address........ BJ
Admin Address........ CN
Admin Email.......... 3498@34.com
Admin Phone.......... +86.103093034
Admin Fax............ +86.103493934Tech Name............ gr wen
Tech Address......... No.12 chang'an road
Tech Address.........
Tech Address......... Beijing
Tech Address......... 100001
Tech Address......... BJ
Tech Address......... CN
Tech Email........... 3498@34.com
Tech Phone........... +86.103093034
Tech Fax............. +86.103493934Bill Name............ gr wen
Bill Address......... No.12 chang'an road
Bill Address.........
Bill Address......... Beijing
Bill Address......... 100001
Bill Address......... BJ
Bill Address......... CN
Bill Email........... 3498@34.com
Bill Phone........... +86.103093034
Bill Fax............. +86.103493934
Name Server.......... ns4.nsi-centre.com
Name Server.......... ns3.nsi-centre.com
Name Server.......... ns2.nsi-centre.com
Name Server.......... ns1.nsi-centre.com
Now the whois record for vik-budget.com wasn't an exact match, but I am sure you can spot the similarities between the two:
Domain Name.......... vik-budget.com
Creation Date........ 2008-07-23 17:34:04
Registration Date.... 2008-07-23 17:34:04
Expiry Date.......... 2009-07-23 17:34:04
Organisation Name.... xiaowen
Organisation Address. No.12 chan'an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CNAdmin Name........... xiaowen
Admin Address........ No.12 chan'an road
Admin Address........
Admin Address........ Beijing
Admin Address........ 100001
Admin Address........ BJ
Admin Address........ CN
Admin Email.......... 232@242.com
Admin Phone.......... +86.102092094
Admin Fax............ +86.102482940Tech Name............ xiaowen
Tech Address......... No.12 chan'an road
Tech Address.........
Tech Address......... Beijing
Tech Address......... 100001
Tech Address......... BJ
Tech Address......... CN
Tech Email........... 232@242.com
Tech Phone........... +86.102092094
Tech Fax............. +86.102482940Bill Name............ xiaowen
Bill Address......... No.12 chan'an road
Bill Address.........
Bill Address......... Beijing
Bill Address......... 100001
Bill Address......... BJ
Bill Address......... CN
Bill Email........... 232@242.com
Bill Phone........... +86.102092094
Bill Fax............. +86.102482940
Name Server.......... ns4.vipsam.com
Name Server.......... ns3.vipsam.com
Name Server.......... ns2.vipsam.com
Name Server.......... ns1.vipsam.com
I also did so checking into the ICQ number which seems to be legitimate: supplier, I didn't try contacting this person for some social engineering, but I sure thought about it. I believe this to be the administrator or operator behind this scam as his ICQ number is the only thing that never changes in this template. In my digging I also ran across a post at scamfraudalert.com where an administrator posted this same email template under the work-at-home scam section of their forums back in July: scamfraudalert.com posting. A little more Google magic and I was able to uncover even more information about this money laundering scam which seems to have been around for over a year now: forum.419eater.com cs-funds and forum.419.com lvs-money.com.
The last thing I noticed in regards to the vik-budget.com domain was it was currently being hosted on the same host as these two PhishTank reported phishing sites: hsbc.update.citapedor.com, and update.citapedor.com, which were phishing sites targeting the HSBC bank back in mid July as far as I can tell. Could this be the same phisher? Well I will let you be the judge again by simply posting the whois record for citapedor.com:
Domain Name.......... citapedor.com
Creation Date........ 2008-07-10 20:19:29
Registration Date.... 2008-07-10 20:19:29
Expiry Date.......... 2009-07-10 20:19:29
Organisation Name.... xiaowen
Organisation Address. No.12 chan'an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CNAdmin Name........... xiaowen
Admin Address........ No.12 chan'an road
Admin Address........
Admin Address........ Beijing
Admin Address........ 100001
Admin Address........ BJ
Admin Address........ CN
Admin Email.......... 232@242.com
Admin Phone.......... +86.102092094
Admin Fax............ +86.102482940Tech Name............ xiaowen
Tech Address......... No.12 chan'an road
Tech Address.........
Tech Address......... Beijing
Tech Address......... 100001
Tech Address......... BJ
Tech Address......... CN
Tech Email........... 232@242.com
Tech Phone........... +86.102092094
Tech Fax............. +86.102482940Bill Name............ xiaowen
Bill Address......... No.12 chan'an road
Bill Address.........
Bill Address......... Beijing
Bill Address......... 100001
Bill Address......... BJ
Bill Address......... CN
Bill Email........... 232@242.com
Bill Phone........... +86.102092094
Bill Fax............. +86.102482940
Name Server.......... ns2.godns1334.com
Name Server.......... ns1.godns1334.com
Name Server.......... ns3.godns1334.com
Name Server.......... ns4.godns1334.com
So if your seeing what I am seeing I would be fairly certain this is the same person or organization responsible for the past phishing attempts. I just have to wonder why they would use the same false information to register domains. If any of this really interests you I would suggest Googleing using these suggested strings: "No.12 chang'an road", "xiaowen phisher", and "Organisation Name xiaowen" which should provide you with an overall picture of just how long this phisher has been around and just how many different types of phishing scams this phisher has attempted with out being caught to include ebay, paypal, facebook, linkedin, and numerous financial institution phishing sites. With unique whois records being the center of my little investigation it is almost dumbfounding to think we can't put a stop to at least this one individual or organization.
The only other spam I saw coming out of the Storm worm was the normal Pharmacy express and Canadian pharmacy stuff. I have noticed the Canadian Pharmacy spam is riding a little more complex fast flux network and makes up about 75% of all the spam coming from Storm Worm infected hosts. Here is a list of the domain names I captured during this analysis:
- areatry.com
- boardcow.com
- boughttool.com
- claimtie.com
- drawbe.com
- groupyellow.com
- pitchinclude.com
- presentalso.com
- probablewide.com
- whetherthus.com
Here is a sample dig query against one of the domains "areatry.com":
;; ANSWER SECTION:
areatry.com. 120 IN A 89.139.42.151
areatry.com. 120 IN A 89.142.143.19
areatry.com. 120 IN A 89.169.184.21
areatry.com. 120 IN A 91.66.127.14
areatry.com. 120 IN A 118.168.25.176
areatry.com. 120 IN A 210.194.144.198
areatry.com. 120 IN A 213.211.44.132
areatry.com. 120 IN A 218.171.174.108
areatry.com. 120 IN A 218.190.85.230
areatry.com. 120 IN A 59.188.130.110
areatry.com. 120 IN A 61.224.205.217
areatry.com. 120 IN A 69.66.219.190
areatry.com. 120 IN A 75.139.130.32
areatry.com. 120 IN A 77.41.88.195
areatry.com. 120 IN A 77.127.162.69
areatry.com. 120 IN A 79.164.122.160
areatry.com. 120 IN A 79.172.80.138
areatry.com. 120 IN A 85.250.12.186
areatry.com. 120 IN A 85.250.27.81
areatry.com. 120 IN A 89.110.48.125;; AUTHORITY SECTION:
areatry.com. 163448 IN NS ns1.er909erede.com.
areatry.com. 163448 IN NS ns1.ijekrii9.com.
areatry.com. 163448 IN NS ns0.er909erede.com.
areatry.com. 163448 IN NS ns0.ijekrii9.com.
As you can clearly see the ttl is 120 seconds and 20 A records are severed up as available for each look up. This is definitely more complex than the pharmacy express spam.
The pharmacy express spam domains I discovered during this run were:
- denvermedicaldoc.sg
- doctordoctorlist.sg
- funmedicaldoctor.sg
- medicaldoc.sg
- medspecialist.sg
- medvisiondoctor.sg
- medwaydoc.sg
- ozmeddoc.sg
- yourrecoverydoc.sg
These domains are also riding on a fast flux network, but only serve up one new A record every 5 minutes. Here is the output for my dig command for the "ozmeddoc.sg" domain:
;; ANSWER SECTION:
ozmeddoc.sg. 590 IN A 204.95.101.99
Don't get the wrong idea here I am not saying the Pharmacy Express site/domain is any less of a threat or nuisance than the Canadian Pharmacy site/domain, but what I am saying is the fast flux design is simplified for the Pharmacy Express when compared to the Canadian Pharmacy design.