sudosecure.net

The Storm Authors are starting to experiment with new and creative ways to ensure we can't track them easily with their latest variant released earlier today. This recent change is actually fairly simple, but at the same time fairly affective in that only the stage one binary "load.php" (Storm's Trojan Downloader) can grab the second stage binary "load2.php", which is the actual Storm Worm binary. They do this by filtering on User Agents. The Storm Trojan downloader's User Agent is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)". Notice the "SV1921" portion as it seems to be the only unique portion that separates this User Agent from the normal Internet Explorer 6 User Agent. To be more specific, the actual Storm Worm binary can only be downloaded with an application using "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)" as it's User Agent at this time. I tried several other common IE User Agents, and multiple comibations/variants of the Storm Trojan Downloader User Agent and was unsuccessful at retrieving the binary. With that information I think it would be safe to create a Snort IDS signature looking just for this specific User Agent. I have submitted my finding over to Matt Jonkman at Emerging Threats to get his expert opinion on this. My suggestion would be an update of sid:2008077 to look like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/67; sid:2008077; rev:6;)

During the analysis of this variant I also discovered a new Storm Worm Fast Flux domain name: "polkerdesign.cn". The other domain names I was tracking: "apartment-mall.cn, stateandfed.cn, centerprop.cn, and phillipsdminc.cn" have all been shut down, which is good news.

It also looks like Antivirus companies are still behind in getting good signatures out to detect these new variants. My VirusTotal results for "load.php" (38.71%) and my VirusTotal results for "load2.php" (35.48%). In closing, here is a fresh list of the 908 peering IP addresses I extracted from the configuration file "herjek.config": herjek_peers.

As always if you have any questions or comments feel free to contact me.

UPDATE: There was a typo in my initial post leaving out the "Windows NT 5.1" portion, I have corrected this inline, thanks to Levi of his comments.