Comments on: Storm Worm using a 2 stage attack system

By: jeremy

jeremy — Tue, 20 May 2008 06:02:04 +0000

Thanks again, Mark!

By: Mark

Mark — Tue, 20 May 2008 03:11:24 +0000

The A records were removed from the above sites today.
The registrar at 厦门华商盛世网络有限公司 has taken action on them.

By: jeremy

jeremy — Thu, 08 May 2008 02:28:39 +0000

Thanks Mark! I was not aware of cadeaux-avenue.cn and tellicolakerealty.cn.

By: Mark

Mark — Thu, 08 May 2008 02:22:33 +0000

LIVE STORM Domain Names
cadeaux-avenue.cn
polkerdesign.cn
tellicolakerealty.cn

RECENT BUT DEAD
apartment-mall.cn
biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
ibank-halifax.com
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

By: jeremy

jeremy — Wed, 07 May 2008 23:49:42 +0000

Did you set the User-Agent to “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)”? I am not real sure how I can help without more information about your issue.

By: jon

jon — Wed, 07 May 2008 21:55:17 +0000

i havin a problem geting a sample of the new load2.php in malzilla

please help

By: jeremy

jeremy — Wed, 07 May 2008 21:33:49 +0000

Levi your right. This was a mistake on my part and the Snort rule is correct in that you must have “Windows NT 5.1″ in the UA to download the binary. I will correct it in my post, sorry for the confusion as I was a victim of a bad copy and paste.

By: Levi

Levi — Wed, 07 May 2008 20:35:32 +0000

I noticed that the User-agent string mentioned in this posting, Mozilla/4.0 (compatible; MSIE 6.0; SV1921), doesn’t match the Snort rule Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921). The difference is the ‘Windows NT 5.1′ part.

By: Matt Jonkman

Matt Jonkman — Wed, 07 May 2008 12:37:17 +0000

Great catch Jeremy! I’ve actually put this in as a new sig to preserve the previous. New sid is 2008193.