sudosecure.net

The last active domain name "ibank-halifax.com" was deactivated around March 18th making it a little harder for me to track new Storm Worm Binary hosting web servers and really slowing down my binary harvesting... Which I may add wouldn't bother me a bit if they were just shut down and I could move on to something else, but instead they have registered a new domain name for their fast flux network "superdrugtesting.com" with the Registrar: TODAYNIC.COM, INC. Here is a look at the current whois record:

Now take a look at the registrant information, which might I add is obviously fake:

I could be wrong, but I don't think an informative email to "coldercolder55@yahoo.com" is going to get much response in trying to get this new domain name taken offline. One change I noticed was the authors have now moved from the Russian registrar "nic.ru" to the Chinese registrar "todaynic.com". I hope they didn't move to another country registrar as an attempt to through investigators off, as it has become well known the authors reside in St. Petersburg, Russia. If you haven't read the article by Brian Krebs from the Washington Post take a look at it: Wishing an (Un)Happy Birthday to the Storm Worm. This article didn't seem to get much press coverage, so some of you may not have seen it.

If you have DNS blackholing capabilities, content filtering devices, and/or spam filters I would suggest adding the "superdrugtesting.com" domain name to them at this time. As always if you have any questions or comments feel free to contact me at jeremy [at] sudosecure [dot] net anytime.