sudosecure.net

Looks like the Storm Worm authors are back to using good old fashion Social Engineering to infect unsuspecting users. Obviously this is nothing new for the Storm Worm, but for the last few weeks they have relied solely on iframe redirections combined with fancy JavaScript obfustication serving up multiple exploits. My assumption would be this new wave of Social Engineering is a result of the Storm Worm Botnet shrinking in size everyday.

The new web page is simple and to the point with only the following message being displayed:

Your download should start automatically in a few seconds. If not, click here to start the download.

The page source code looks like this:

As you can see there are two binaries being offered up by this page: "loveyou.exe" and "iloveyou.exe". If you click to the hyperlink on this page you will download the "loveyou.exe" binary. If you just wait 5 seconds you will automatically download the "iloveyou.exe" binary via a meta tag refresh. This is of course very simple code in comparison to the "ind.php" JavaScript obfusticated page, which might I add is still being offered up with multiple exploits to anyone visiting this page.

This particular version of the Storm Worm creates a configuration file of peers in the %WINDIR% titled: "totacon.config" and the actual Storm Worm Binary file titled: "totacon.exe". VirusTotal results at the time of this analysis were not very promising (6/32), and can be found here: VirusTotal results for iloveyou.exe and VirusTotal results for totacon.exe. Microsoft does seem to be on top of this, so they get an AT-A-BOY from me. Just for the fun of it I also ran the "iloveyou.exe" through the ThreatExpert Sandbox and ended up with these results: ThreatExpert Report iloveyou.exe.

I have decided to post a few of my results from my personal sandbox analysis conducted in my make shift lab. First off here is a list of the 804 IPs I was able to extract from the "totacon.config" file: Totacon Config Storm Peers with my storm_config_decoder.pl script. I also decided to grab some SMTP traffic by modifying Joe Stewart's Truman fauxsmtp.pl script combined with my Perl DNS script to safely collect the spam without my ISP going nuts, and also running the risk of getting blacklisted. Here is that log file for your viewing pleasure: Storm Worm SMTP Log file. As you can see the Storm Worm SPAM mails focus heavily on male enhancement pharmaceuticals, no surprise here. On a positive side note all of the http references for this SPAM run instance are blank. I believe this is because the current Storm Worm Domain Names being utilized have had there A records removed, possibly because the Registrant may have taken action against them. Thanks Mark from http://spamtrackers.eu for this information, as I was initially caught a little off guard by my logs till I saw your comments.

I also went ahead and decrypted some of the Edonkey p2p traffic as a quick check to see if the "XOR" key had changed, but it had not. Here is a portion of the decrypted pcap for anyone that is curious to actually see what the Storm Worm p2p Botnet traffic looks like: Decrypted Storm Worm PCAP and just for comparison here is the same pcap slice encrypted in it's original form: Storm Worm Traffic Encrypted. Note you will need to utilize an Edonkey decoder to correctly decode the Edonkey protocol, such as the one built into Wireshark. In Wireshark it as simple as opening the file clicking the "Analyze" menu option, and then selecting the "Decode As" menu option from the drop down. From here scroll down and select the Edonkey protocol using the SRC UDP port (24571) in this instance, and finally press the "OK" button. You should see several "Publicize" messages under the info column now, which means you have succeeded at decoding the Edonkey protocol.

As always if you have any questions or comments feel free to shoot them my way. One last thing, I would like to go ahead and thank the professionals and guru's over at UploadMalware.com and MalwareDomainList.com as many of them have activity collaborated and shared insightful information with me on this subject since I became a member on a daily basis. Your help is greatly appreciated!

UPDATE: I reported that the following Storm Worm Domain Names were no longer active: polkerdesign.cn, tellicolakerealty.cn, and cadeaux-avenue.cn.  This information was inaccurate as it was only the Storm Worm Name Servers that were taken action against, causing my queries to fail.  The following Name Servers no longer resolve Storm Worm Domain Names as connections seem to be refused: ns.orthelike.com, ns2.orthelike.com, ns3.orthelike.com, and ns4.orthelike.com.