sudosecure.net

After talking it over with a few colleagues and friends I have decided to release the script I utilize to extract the peer IP addresses and ports from the Storm Worm ini/config file, as I think it may benefit others. The current configuration file for the Storm Worm is "aromis.config" and it holds the IPs for bot peers the infected computer can communicate with. This will not be the entire list of IPs infected with the Storm Worm, as the Storm Worm breaks it's bot networks up into small sub-network like structures. This is why it has been so hard for Security Professionals to combat the worm, and gather an accurate number of hosts infected with this worm.

Something to consider before using script is I can not guarantee it to work on new configuration files, as the authors of the Storm Worm could change this file at any given time. If they do decide to modify the configuration file structure I may or may not decide to update the script to reflect these changes. I think once you see how simple it is, you may just want to update it yourself. I am not a professional programmer nor a Perl guru, so if you find anything insane in the code I welcome your fixes and/or improvements.

With all that being said run it at your own risk as I provide no warranty! Well here you go: storm_config_decoder_pl. The output from this script is very simple "ip address:port" for example "192.168.0.1:1234" with the last line of output telling you exactly how many unique ip addresses it was able to identify. Oh, I almost forgot to mention it can parse multiple files just use the "*" as a wildcard character or specify the files with a space between them. This option has been very useful to me in combining the configuration files from several different infections over a period of time such as the last 24 hours. Try it as you may get some intresting results

As always if you have any questions or comments regarding this post or script feel free to contact me at anytime at jeremy [at] sudosecure [dot] net. Enjoy!