sudosecure.net

Ok, I finally had a chance to go through the obfusticated JavaScript and thought I would publish my findings to you all. I figured it would be better for me to just start a new post than continue to update the last one, as even I was getting confused. First off it isn't new for the Storm Worm to use obfusticated JavaScript in exploiting Windows boxes that have not been patched. It has just been several months since the authors utilized this tactic to infect new hosts, as I believe it was in October of last year the Storm Worm authors were using the MS06-14 vulnerability to infect unpatched computers.

Now when you visit the Storm Worm Web pages you will be hit with 2 different exploit attempts. The first one is hosted in the index file and it looks like this: Storm Exploit Entry Page. Now this is clearly an exploit attempt against the MS06-14 vulnerability published April of 2006. If the exploit works you will receive the "load.exe" file renamed as "win.exe" and it will be executed.

The second exploit is hosted in the flow.php file and it looks like this: Flow_php File. This is clearly another attempt to exploit an old vulnerability in Internet Explorer: MS05-052.

I haven't sacrificed a lab machine yet to see what happens after the infection, but here are my results from a few online sandboxes and virus scanners: VirusTotal Results ThreatExpert Results

As you can see the Antivirus Companies are struggling to keep up with the Storm Worm with only (6/32) flagging this last submission as Malware. I was actually a little shocked to see Symantec on top of this binary already, good job! Looking at the ThreatExpert results it looks as though the stored binary and configuration file have changed names once again to kavir.exe and nivavir.config, which are still stored in the C:\windows directory. The best recommendation I can give to anyone in trying to prevent this from infecting their computers is to patch your boxes...

I am still waiting for the results from CWsandbox and Anubis, if I get anything interesting back from their analysis I will update this posting.