New StormCodec.exe and StormCodec8.exe offered free of charge via the Storm Worm
Posted by jeremy on April 8th, 2008
Well I must say I about died laughing this afternoon when I discovered the Storm Worm authors decided to publish their Malware Codec under the alias Storm Codec. One thing no one can deny about the Storm Worm authors is they definitely have a sense of humor. As always here is a screen shot of their newest web page:
So as you can see they are offering unsuspecting visitors the newest Storm Worm Trojan as a Media Codec. Almost takes me back to when they were offering the video.exe codec for youtube. Nothing really new in the web page source code either:
I am actually really surprised we haven't seen any new JavaScript obfuscation being used, with all the other major Malware distributors doing it making obfuscated code the "happening thing". I know that a few months ago they were using the unescape function, but nothing since then.
Another note of interest shared with me today via Steven from SecurityZone.org and Shaun the Founder of the Australian Honeynet project is that there is now two new domain names for the Storm Worm: supersameas.com and boardhour.com. Steven also noted that superdrugtesting.com was taken offline earlier this morning. The registrar for supersameas.com is "BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN" and the registrar for boardhour.com is "XIN NET TECHNOLOGY CORPORATION". With all that being said I must applaud registrar "todaynic.com", as they acted really quickly in getting superdrugtesting.com offline. I guess the authors of the Storm Worm made a small mistake registering with a legit Chinese registrar. If all registrars acted that quickly, I would definitely have to come up with a new way to track the Storm Worm web hosts. 
One last note of interest Matt Jonkman the founder of Emerging Threats is on top of these changes as always with the two new current event snort signatures sid:2008111 and 2008112. I would suggest running these rules along with DNS blackholing supersameas.com and boardhour.com, as I am sure there will me more blogspot redirections in the coming days. I have not seen any of the reported spam using the new domain names as of yet, but that doesn't necessarily mean that it isn't out there already.