sudosecure.net

Looks like my hunches yesterday about the Storm Worm authors being up to something was right on target. One of the researches over at UploadMalware.com discovered the Storm Worm authors spawned a new variant yesterday. This new campaign is solely based off of iframe injections, so far. Maybe in the coming days or hours this will change and we will see some type of enticing download campaign we have grown so fawned off. I would not rule it out as the Storm Worm authors have used the social engineering factor very successfully for over a year now, and I don't see that going away anytime soon.

Alrighty then let me get to some of the juicy stuff about this new campaign. We now have three active Storm Fast Flux domain names serving up obfusticated JavaScript via a PHP file titled "ind.php". The thing that completely threw me off yesterday was they are filtering the exploit with a User Agent check. If you try to grab the "ind.php" with a non exploitable browser or command you will receive a blank page. Here is a PDF of the current "ind.php" file and it's deobfusticated code: ind.php analysis. As you can see in the PDF you will be hit with multiple exploits and if any of them are successful you will be receiving the Storm Worm binary downloader from another PHP file titled: "load.php". Detection is very limited for this new variant downloader: VirusTotal Results for load.php. This downloader will then grab the file "load.exe" which is the actual Storm Worm binary and detection for this is low as well: VirusTotal Results for load.exe.

The new binary drops itself into the Windows directory (%windir%) during installation and is titled: "libor.exe" along with it's new peer file titled: "gogora.config". Just for the heck of it here is a list of the 903 peers I extracted from the config file: peers.

The three currently active domain names are "stateandfed.cn, apartment-mall.cn and centerprop.cn" and it would be advisable to anyone with DNS blackholing or content filtering devices to put them in your configurations now. I am sure we will see a lot more of this via SPAM with links to new blogspot web pages with the iframe redirections embedded in them on Monday morning.

Also as a side note with the authors changing the web page I am having issues with my Storm Binary tracker. I should have them worked out shortly and the database will get updated as soon as I do. If you have any questions or comments feel free to shoot them my way.