sudosecure.net

Currently the Storm Worm domain name servers are not responding to DNS quires for the known Storm Worm Domain names. The Fast Flux DNS magic the Storm Worm utilizes has been one of the key factors in it's past success, so I would think this is a short lived outage. Currently all of the live Storm Worm domain names I am aware of are pointing to the following DNS servers:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com

The oddity of this outage is that the above name servers are rotating their A records with no issues, but none of them have any A records to serve up for the Storm Worm Web Servers. Here are a few examples of my dig query outputs:

;; ANSWER SECTION:
ns.likenewvideos.com. 70381 IN A 76.174.44.224

;; AUTHORITY SECTION:
likenewvideos.com. 70381 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns2.likenewvideos.com. 70381 IN A 209.159.249.102
ns3.likenewvideos.com. 70381 IN A 117.123.100.162
ns4.likenewvideos.com. 70381 IN A 213.211.109.179

;; ANSWER SECTION:
ns2.likenewvideos.com. 150897 IN A 76.90.237.129

;; AUTHORITY SECTION:
likenewvideos.com. 150897 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns2.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150897 IN A 69.249.236.201
ns3.likenewvideos.com. 150897 IN A 70.121.44.74
ns4.likenewvideos.com. 150897 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 70125 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns3.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 70125 IN A 76.174.44.224
ns2.likenewvideos.com. 70125 IN A 209.159.249.102
ns4.likenewvideos.com. 70125 IN A 213.211.109.179

;; ANSWER SECTION:
ns4.likenewvideos.com. 150781 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 150781 IN NS ns3.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns2.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150781 IN A 69.249.236.201
ns2.likenewvideos.com. 150781 IN A 76.90.237.129
ns3.likenewvideos.com. 150781 IN A 70.121.44.74

It also looks like an outage has also surfaced in the Storm Spam being sent out. I ran a sample for over 3 hours in my sandnet with not one single SMTP packet being sent out, so the good news is this outage may eliminate a few spam messages in my inbox tomorrow morning.

It also looks like my p2p list in the herjek.config file is shrinking slowly, with only 778 IPs in it right now. Here is the decoded herjek.config peer list: Storm Peer IP List.

I don't really think this outage will last longer than 24 hours, and would be surprised if it is still occurring when I get up in the morning. This is more than likely down time for an update, or maybe even some type of configuration changes being conducted by the Storm Worm Authors. Look for something new from them real soon!

UPDATE: I am now starting to see the Storm Worm DNS servers and Web servers recover, but it now seems as if the entire Storm Worm network is now experiencing intermediate availability.  Again, I don't believe this is something permanent, and is more than likely intermediate outages as the Storm Worm Authors get their updates and/or changes out.