sudosecure.net

              is anything truly secure…

« New StormCodec.exe and StormCodec8.exe offered free of charge via the Storm Worm
Storm Worm using JavaScript with exploit code »

Storm Worm gone domain registrant happy again!

Posted by jeremy on April 9th, 2008

Shaun from the Australian Honeynet Project sent me a few more domain names being used the the Storm Worm authors this morning, thanks Shaun! The following is a list of domain names being utilized by the Storm Worm right now:

  1. orthelike.com - Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
  2. limpodrift.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  3. gasperoblue.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  4. thingforyoutoo.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  5. loveinlive.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  6. gribontruck.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  7. giftapplys.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  8. biggetonething.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  9. newoneforyou.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
  10. supersameas.com - Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
  11. boardhour.com - Registrar: XIN NET TECHNOLOGY CORPORATION

I have not seen this many domain names being utilized since the recent Christmas run a few months ago, could there be something new or big in store for us real soon?

Another really odd thing I just noticed is the constant changing of the Storm Worm binary is not occurring as of right now. My Storm Worm binary tracker has shown only one MD5 hash "e773e92fef7288faa63d79d497bded91" for all of the binaries retreived since authors changed the binary names to: StormCodec.exe and StormCodec8.exe. I doubt very seriously this was caused due to them breaking/misconfiguring their bot network. So this recent joke of "Storm Codec" may just be a temporary stalling technique used to keep us busy while the authors rework the binary. I say this because, I found it very odd the recent binary distributed didn't try to hide itself at all, and although Antivirus companies struggled to publish a signature for the last binary in a timely manor, users could easily detect an infected box by simply looking for the configuration file and/or binary in the C:\windows directory. Also note the new names being used for these files are now: kaglor.config (peer config file) and liibr.exe (current Trojan binary) which are still found in the C:\Windows directory.

This entry was posted on Wednesday, April 9th, 2008 at 6:17 am and is filed under Bots and Worms, Storm Worm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Storm Worm gone domain registrant happy again!”

  1. Greg Says:
    May 1st, 2008 at 7:47 am

    Add apartment-mall.cn to your list

  2. jeremy Says:
    May 1st, 2008 at 8:14 am

    Thanks for the update!

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« New StormCodec.exe and StormCodec8.exe offered free of charge via the Storm Worm
Storm Worm using JavaScript with exploit code »