Looks like the authors couldn't resist the opportunity to entice United State citizens with a "Colorful Independence Day" theme. The good news is there are only 5 of the 24 domain names I reported the other day still active. Here is a list of the current active Storm Worm domain names:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

The new "Colorful Independence Day" theme is a little different than past campaigns, as it only hosts one binary file and the ind.php exploit scripts. Usually the Storm Worm authors maintain two differently named binaries available for download through a hyperlink and by clicking an image file. This time the authors are only hosting a binary titled "fireworks.exe", which is downloaded by clicking a colorful image of a fireworks show. Here is a snapshot of the current site:

The normal ind.php file is a hidden iframe inclusion with the normal 9 exploits waiting to serve up a fresh install of the Storm Worm Trojan turning your computer into a spamming maniac. VirusTotal results shows that many of the Antivirus companies are still struggling to keep up and identify the constantly changing/morphing Storm Worm. With only ~52% (17/33) identifying the fireworks.exe binary as being malicious of which 2 of the 17 just state the file is suspicious. I wouldn't count the suspicious file signatures as a success, so in my opinion only 15/33 really identified the binary. Here is a link to the results page for VirusTotal.

With this being the evening of the beginning of my long weekend vacation I am going to cut this analysis short and leave you with a "Happy 4th of July" and be safe.

Looks like the authors of the Storm Worm are at it again with the "love theme", but this time with lots of love. I have identified 24 active Storm Worm web server domain names serving up a new storm worm binary with very little detection by the Antivirus companies according to my VirusTotal results (8/33 24% detection rate). My current list of active domain names are:

• activeware.cn
• bestlovelyric.com
• gonelovelife.com
• greatadore.com
• grupogaleria.cn
• knowholove.com
• likethisone1.com
• lollypopycandy.com
• loveisknowlege.com
• lovekingonline.com
• lovemarkonline.com
• loveoursite.com
• makeloveforever.com
• makingadore.com
• makingloveworld.com
• musiconelove.com
• nationwide2u.cn
• shelovehimtoo.com
• superlovelyric.com
• theplaylove.com
• wantcherish.com
• whoisknowlove.com
• wholovedirect.com
• wholoveguide.com

Most of these were identified through passive DNS techniques, and using my spam lab setup. Looking at the spam I captured in my lab for the newest Storm run, I was able to identify 64 unique Subject lines from 3,743 spam email messages. All 64 unique Subject lines related to the theme of love, which if I had to guess must pay high dividends for the Storm authors as they have returned to this theme over and over again. A few sample subject lines are:

• All I need is You
• Always on my mind
• Can't forget You
• Can't stay away from you
• Crazy in love
• Crazy in love with you
• Deep in my heart
• Deeply in love with you
• Dreaming 'bout you
• Everything for you

All 64 unique subject lines can be seen here: spam_subject.txt. The actual spam message contained 65 unique messages with a simple one line message containing hyperlinks to one of the 24 active Storm domains listed above. Following any of these hyperlinks leads to the newest version of the Storm Worm web server page, which maintains a Egreetings/Ecard design and the love theme, but with a twist. The web page title is:

Free I Love You Ecards, I Love You Greeting Cards, I Love You Greetings, Cards, ecards, egreetings

The twist is the Storm authors have added a flashy banner at the top of the page stating you are the 10,000 visitor and that you have won a prize. To claim the prize all you have to do is click through the fake banner advertisement. Here is a snapshot of the current Storm worm web page:

Examining the source code there are 2 unique binary names available for download: "winner.exe" and "mylove.exe". By clicking the image stating your the 10,000th visitor the winner.exe binary is downloaded. Clicking the hyperlink, "click here", the "mylove.exe" binary is downloaded. The storm worm authors are also actively maintaining a malicious script titled "ind.php" containing 9 individual exploits hidden from view with an iframe redirection and littered with heavy Javascript obfustication to evade detection and analysis.

It is my opinion that this particular version/run of the Storm Worm appears to be the largest in scale this year. I do not remember seeing this many active domain names being used in any of the past runs I have analyzed. I also noticed the Fast Flux network has modified all of the Storm Worm domain name A records TTL value to 60 seconds, instead of the normal 0 seconds. This means the Fast Flux DNS servers will rotate the A records every 60 seconds instead of after every individual query, which may be an attempt to throw off some techniques for analyzing and identifying Fast Flux domain names. Another reason I believe this is one of the largest scaled runs this year is my Storm Web server DNS tracking scripts are averaging ~3,200 unique IP addresses a day instead of last months daily average of 376 a day. Obviously this is a large increase, but it could be a misleading number, as my tracking scripts have more domain names to work with now than they have ever had in the past due to the fact there are so many active domain names right now.

Another lab run of the Storm Worm last night I captured 7,341 emails of which there were 31 unique Subject lines, 5 distinct email addresses in select message bodies, and 105 unique IP address direct links. The majority of last nights spam lab run contained the current theme of a disaster in China affecting the Olympic games in Beijing . Nothing new there, but I did find 1,144 messages which contained the following style of message:

Hello, my friend.

Do you want to buy any stuff: any kind of pills, oem software, cool porn?
Just mail me back, i'll find the best offer for you.

My Email: gpdude22@yahoo.com

Of these 1,144 messages containing this unique message I was able to extract 5 diffrent individual email addresses:

• cstygstra@gmail.com
• gpdude22@yahoo.com
• infrared35@gmail.com
• jim@tegelaar.com
• wagz_is_god@yahoo.com

I Googled all of these email addresses to see if possibly the Storm Worm Authors were raining some spam to these targeted emails, as this was my first thought, but found that these email addresses returned no results except for wagz_is_god@yahoo.com. I found a post from a user calling himself "wagzisgod" from 2004 about maintaining a traders list on spawn.com. The Google cached page can be seen here: Spawn.com Message Board post. So I don't think this a malicious attack against the email addresses listed above, but more likely a way of trying to identify active email addresses maintained in their current harvest lists. I sent an email using a newly created account and have yet to receive any response regarding my staged request for more information regarding the availability of the products in the spam message. I really didn't expect to receive a response, but this was more of an attempt to monitor spam generated from the Storm Worm, as this newly created email has only been used once making it perfect for tracking the Storm Spam if it works the way I hope it does. Only time will tell.

Here are the logs from last nights spam run in my lab for your own analysis: Full SMTP log, Unique IPs for Storm Web Servers in Spam Log, and Storm P2P Peer list.

With all of the know Storm Worm domain names temporarily not resolving, due to the Storm Worm designated name servers not responding to A record requests, the authors have reverted back to spamming direct IP links to our mail boxes. The main Storm Worm domain name servers I am aware of are:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com
• ns.verynicebank.com
• ns2.verynicebank.com
• ns3.verynicebank.com
• ns4.verynicebank.com
• ns5.verynicebank.com
• ns6.verynicebank.com

I captured 1,014 spam messages in my lab this afternoon during a short run just to check on things. Of the 1,014 spam messages there were only 47 unique IP addresses and only 30 unique Subject lines. Here are two text files with the data: spam_ips.txt and spam_subjects.txt. As you can see the spam messages relate with the Storm Web server theme of a disaster in China and the 2008 Olympic Games in Beijing.

Another note of interest in my fake SMTP server logs is the User Agent for the spam messages seems to only ever be one of two different unique User Agents either "Thunderbird 2.0.0.6 (Windows/20070728)" or "Thunderbird 1.5.0.13 (Windows/20070809)". I can't believe I missed this, but after revisiting several of my old SMTP log files I have found this to be a common pattern for almost a month now. These both seem to be legitimate User Agents via my Google search results, but since they are old Thunderbird mail clients it may be worth looking into possibly writing a snort signature for something like this. I was thinking about testing the waters to see what I come up with in the next few days. If any of you run a mail server I would definitely be interested in hearing your opinion on how popular these User Agents are. Here is my full SMTP log for this afternoon's run: smtplogs.txt

To sum this short post up here is the usual Storm Peering IP list extracted from the configuration file: peers2.txt and my Virus Total results for the binary files: beijing.exe and msvupdater.exe.

Looks like the authors of the Storm Worm have decided to revisit the usage of exploits along with their normal Social Engineering techniques by including an iframe within their current web page. The current Storm Worm web page uses an earthquake message as it's attempt at social engineering unsuspecting users into downloading a video file, which of course is the Storm Worm. Here is the message the Storm authors are currently presenting to users:

A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either "Open" or "Run".

Combining the upcoming Olympic games starting in ~49 days and a natural disaster looks like it may be a new theme that numerous Malware authors will begin to utilize, as current events and disasters always seem to attract a large crowd. I know we started seeing the Olympic games themed Malware several months ago, but now with the Storm Worm authors using it and the start of the games approaching it is my opinion we will see a quadratic rise in the amount of Malware, Phishing sites, and Social Engineering attempts tailored to the unsuspecting followers of the games.

The actual look and feel of this new page is simple and light. Here is an image of the current page:

Video themes also seem to be the standard approach for the Storm Worm authors, so I really was not surprised to see another one being used.

The source code for this page is where we will find the interesting and new obfusticated scripts used to execute multiple exploits tailored to your browser. Here is a snapshot of the source code for the index page:

Obviously if you click the image you will download the "beijing.exe" binary file, which is the Storm Worm Trojan. The interesting piece of code on this page is the iframe for including the "ind.php" file. This "ind.php" file is nothing new to the Storm Worm, as this file name has been utilized in the past Storm Worm exploit attempts and doesn't seem to be going away anytime soon. The contents of the "ind.php" file has changed and is a little harder to deobfusticate. It took me three runs through the file to deobfusticate and analysis this file. The exploit attempts in the "ind.php" file do not appear to be anything new, so I won't bore you with it's details other than stating everyone should keep all of their software applications up to date and patched. The binary downloaded inside the "ind.php" file is titled: "load.php?bof".

I ran the "load.php?bof" and "beijing.exe" through VirusTotal and here are the results: "load.php?bof" and "beijing.exe". The identification results were less than 50% for both binaries, so I would highly suggest you continue to block the know active Storm Worm domain names with DNS blackholing, content filters, and/or proxy filters. Here is a list of the current malicious Storm Worm Domain names hosting the Trojan binary using the theme discussed in this post:

• grupogaleria.cn
• activeware.cn
• cadeaux-avenue.cn
• polkerdesign.cn
• biztech-co.cn
• ratedhot.cn
• pacoast.cn
• fconnorlaw.cn
• tellicolakerealty.cn

I also ran the "load.php?bof" binary in my lab to get a quick look at the spam being sent out by this run, as it seems to be changing topics a little faster than normal with the recent penny stock emails and then back to Canadian pharmaceuticals. I captured 684 spam emails during this short lab run. The oddity with this run was I only identified one domain name being utilized in the data section of the email: "usualprocess.com" and of course the Storm Worm spam was applying a random subdomain name to this domain name. Here is all of the subdomain names I saw during my short run: smtp_log. Another thing I noticed was the name servers for the "usualprocess.com" were not only rotating IP addresses as they always do using a fast flux approach, but the name server domain names were being rotated as well. Here is a list of the name server domain names I saw in my queries:

• ns0.tenshinohane.com
• ns0.forgottensin.com
• ns0.toptenslist.com
• ns0.torstenstv.com

Obviously this is another attempt to keep the links being sent out in emails available. Using passive DNS analysis I was able to identify the following domains as active domain names being severed up by the above name servers, and this list may possibly be a few more domain names worthy of blocking:

• boywhole.com
• metalmorning.com
• oftendollar.com
• describeenter.com
• industryexpect.com
• meanquiet.com
• yetresult.com

The last thing I noted was this binary installed itself in the %WinDir% as "msvupdater.exe" with a peer file in this same directory titled "msvupdater.config". Here is the 830 peer IP addresses I extracted: peers.txt.

Tonights Storm Worm spam was made up of the same old Canadian Pharmaceutical material they were pushing out before the Angstrom Microsystems unauthorized stock spam campaign. The unique domains I extracted from the spam messages were:

• describeenter.com
• industryexpect.com
• meanquiet.com
• oftendollar.com
• yetresult.com

All of these domains are fast flux domains resolving to 20 different IP addresses per query that seem to rotate on a set schedule of every 2 minutes. There is no telling how many total IP addresses, but I am sure it is a lot. If you have DNS blackholing capabilities, content filters, and/or spam filters I would update them now with these domain names.

Another note of interest regarding this spam is wild card sub domains are being used in all of the spam messages I captured. Here is a list of the unique sub domains: sub domains list. This Canadian Pharmacy website does not seem to change much in it's presentation and the following logo seems to be constant.

The only new option I identified in looking at this site during this analysis was the option to submit your Instant Messenger information when trying to contact them. Just another way to collect user data in which they can use as a spam mechanism is my guess. Here is what the current form looks like:

This may not be a new, but it is the first time I noticed it. Another note of interest is they seem to take a wide variety of payment types as seen here.

As always if you have any questions or comments feel free to contact me.

Looks like the authors of the Storm Worm spamming bot have moved on from Canadian Pharmaceuticals to giving financial advice. While running the Storm Worm in my lab and allowing it to beat up my fake SMTP server I captured 2,379 spam messages. Of these there were only 130 unique subject lines, which can be seen here: subjects. As you can see all of the subjects pertain to motivating someone to go out and buy penny stocks. Various misspelled messages were seen such as this one:

d_ n't w e preidct it?

Busienss Name: Ans-gtrom Microsytsems
Ticker: agms.ob
Outlook: Storng Purchase
Marekt prcie: .4 00
Shaers- traded: 331,485-

Now that- the news it o'ut, vol.um e is thorugh __the roof.

Mroe events will un'fo"l d , clien'ts are seeing the need for these
prodcuts A GMS. can be your ticket.,

The window" is still open,' obtain this stock early Te'u sday.

This definitely is not the Storm Worm Authors most professional looking work, and is actually very sloppy compared to past spam campaigns. Here is a copy of my full log: smtp log

Another oddity in this move for pushing penny stocks, is the company being represented in these spam messages does not appear to be willing participants in the spam campaign. Searching Google, I found several references to these spam messages and actually found this particular article interesting: marketwatch.com article. Angstrom Microsystems appears to be searching out the people and/or organization behind these spam messages, so I have sent them an email describing my findings and wish them the best of luck with doing what many others would like to do and catch the Storm Worm Authors. Maybe with the help of the US Securities and Exchange Commission they will grow closer to being able to prosecute at least someone from the Russian Business Network. I wouldn't get my hopes up though.

The binary I used in my testing was the "loveyou.exe" binary being hosted by numerous Storm Web Servers. Once ran it creates another binary named "msoupdater.exe" in the "%WinDir%" along with a list of peers of other storm worm bots titled "msoupdater.config". Some good news about this version of the Storm Worm is it is being detected by Antivirus software fairly well. VirusTotal Results: loveyou.exe and msoupdater.exe. Here are the 903 peers I extracted from the msoupdater.config file: peers.txt.

On another note, sorry for my lack of posting lately as I have been on vacation and enjoying summer. As always if you have any questions or comments feel free contact me.

It looks like the Storm worm authors have finally got their DNS issues worked out and have started repairing the overall botnet structure. I wonder how much money is lost when a spam sending botnet the size of the Storm Worm is down for longer than a few days? I would bet it is a lot. Anyways it looks like the Storm Worm Web servers do not have an index page defined yet, but I bet that this configuration is short lived. I was only able to grab these files or pages from a Storm Worm server during my testing: ind.php, load.php, sony.exe, loveyou.exe, and iloveyou.exe. The iloveyou.exe and loveyou.exe are identical binaries with the same md5sums, and here is there VirusTotal results. The load.php and sony.exe are also identical binaries, and here is there VirusTotal results. According to the VirusTotal statistics it looks like about 50% of the Antivirus companies are detecting these binaries at this time. Running these binaries in my sandnet shows they are still using the herjek.exe and herjek.config file names and are located in the Windows directory (%windir%). Here is a list of the 815 peers I was able to extract: peers_list.txt.

Some of the more interesting findings in my tests this afternoon had to do with the spam the Storm Worm was trying to send out. All of the spam being sent out right now is using subdomain names for only a few unique domain names. The following are the unique domain names I was able to extract from my sandnet SMTP mail server:

• catsharp.com
• lowsmell.com
• picturewest.com
• posestory.com
• pressrose.com
• producemorning.com

Here are a few of the subdomain names I saw:

• aayxyi.catsharp.com
• acknl.pressrose.com
• acz.picturewest.com
• ad.producemorning.com
• adru.picturewest.com
• aegi.lowsmell.com
• aegirl.pressrose.com
• aemw.picturewest.com
• afpirl.picturewest.com

A full list of these subdomain names I was able to identify can be found here: smtp_sites subdomains. Obviously these subdomains are randomly generated and the Storm DNS servers have wildcards to accept requests for any subdomain for the few domain names I provided earlier. All of these domains and subdomains seem to point you to the Canadian Pharmacy site I spoke about in my last Storm Worm posting. This time though it looks like even the SPAM domains are using Fast Flux technology to rotate their IP addresses from a list of 20 IPs that are also rotated about every two minutes. This will definitely prevent IP blocks from being affective, so if you have any type of DNS blackholing or blacklists I would suggest you add these domains to those lists now. All of the SPAM was focused on Pharmaceuticals, which is fairly normal for the Storm Worm. Here is a list of the unique subject lines I saw in my sandnet: smtp_subjects.txt.

One last note of interest for everyone that emailed me about the Storm Binary Tracker being down. My outage was due to the Storm Worm having intermediate issues, but since these issues are over my Storm Binary Tracker is now back up and running. Happy Malware Hunting!

Currently the Storm Worm domain name servers are not responding to DNS quires for the known Storm Worm Domain names. The Fast Flux DNS magic the Storm Worm utilizes has been one of the key factors in it's past success, so I would think this is a short lived outage. Currently all of the live Storm Worm domain names I am aware of are pointing to the following DNS servers:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com

The oddity of this outage is that the above name servers are rotating their A records with no issues, but none of them have any A records to serve up for the Storm Worm Web Servers. Here are a few examples of my dig query outputs:

;; ANSWER SECTION:
ns.likenewvideos.com. 70381 IN A 76.174.44.224

;; AUTHORITY SECTION:
likenewvideos.com. 70381 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns2.likenewvideos.com. 70381 IN A 209.159.249.102
ns3.likenewvideos.com. 70381 IN A 117.123.100.162
ns4.likenewvideos.com. 70381 IN A 213.211.109.179

;; ANSWER SECTION:
ns2.likenewvideos.com. 150897 IN A 76.90.237.129

;; AUTHORITY SECTION:
likenewvideos.com. 150897 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns2.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150897 IN A 69.249.236.201
ns3.likenewvideos.com. 150897 IN A 70.121.44.74
ns4.likenewvideos.com. 150897 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 70125 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns3.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 70125 IN A 76.174.44.224
ns2.likenewvideos.com. 70125 IN A 209.159.249.102
ns4.likenewvideos.com. 70125 IN A 213.211.109.179

;; ANSWER SECTION:
ns4.likenewvideos.com. 150781 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 150781 IN NS ns3.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns2.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150781 IN A 69.249.236.201
ns2.likenewvideos.com. 150781 IN A 76.90.237.129
ns3.likenewvideos.com. 150781 IN A 70.121.44.74

It also looks like an outage has also surfaced in the Storm Spam being sent out. I ran a sample for over 3 hours in my sandnet with not one single SMTP packet being sent out, so the good news is this outage may eliminate a few spam messages in my inbox tomorrow morning.

It also looks like my p2p list in the herjek.config file is shrinking slowly, with only 778 IPs in it right now. Here is the decoded herjek.config peer list: Storm Peer IP List.

I don't really think this outage will last longer than 24 hours, and would be surprised if it is still occurring when I get up in the morning. This is more than likely down time for an update, or maybe even some type of configuration changes being conducted by the Storm Worm Authors. Look for something new from them real soon!

UPDATE: I am now starting to see the Storm Worm DNS servers and Web servers recover, but it now seems as if the entire Storm Worm network is now experiencing intermediate availability.  Again, I don't believe this is something permanent, and is more than likely intermediate outages as the Storm Worm Authors get their updates and/or changes out.

In the last 24 to 48 hours I have seen a tremendous slow down in the number of Storm Worm web server IPs being rotated through the Fast Flux network. I usually average about 8,000 to 10,000 unique IPs a day using some custom scripts to query the Storm Worm DNS servers, but for the last 24 hours I have only seen 223 unique IPs. I am not sure why this has occurred, and it may just be a hiccup that has unintentionally occurred. Although in the past when I have identified hiccups in the Storm network it has always been on the eve of a change. This may very well be indicator change is on the horizon, since this is Memorial Day weekend here in the United States. Here is a list of the 223 Storm Web Serving IPs I have seen in the last 24 hours: Storm Web Server Unique IPs.

Since I saw this tremendous reduction in Storm Web Servers I figured I would check to see if there was any reductions in the number of peers currently stored in the herjek.config file. Although this is not a good overall indicator of how many bots are in the Storm Worm network, I still thought I would check. I did not see any obvious reductions with 850 IPs being maintained in my sandnet run for a little over an hour. Here is a list of the peers from this run: Storm Peer List.

I have just recently started looking deeper into the Spam sent out by the Storm Worm and I have identified a few interesting characteristics. I captured a total of 2,524 Spam messages during the same one hour sandnet run I mentioned earlier in this posting. Out of the 2,524 Spam messages there were exactly 853 unique Subject lines all pertaining to pharmaceuticals, mostly focused on male enhancements and Viagra. Here is a file with all of the unique subject lines I saw: Storm SMTP Subject Lines. Another interesting observation is out of all these Spam Messages there were only 9 different domain names being advertised within the spam messages. These domain names were:

1. catsharp.com
2. followequate.com
3. industrydictionary.com
4. lowsmell.com
5. picturewest.com
6. posestory.com
7. pressrose.com
8. printlength.com
9. producemorning.com

All of which resolved to IP address 220.162.247.222, which seems to be a Canadian Pharmacy website advertised as the #1 online drug store. In their FAQ's they claim that all physicians are US licensed using only board certified physicians and U.S licensed pharmacies. They also state all of their products are manufactured and shipped from India and approved by INDIAN FDA for export. I got a real laugh when I saw this Canadian Pharmaceutical company actually advertising an Anti-Spam policy. Here are a few direct quotes from this policy:

Canadian Pharmacy supports ONLY permission-based email management practices. In this regard, Canadian Pharmacy has implemented various policies and procedures that:

• Help prevent Canadian Pharmacy from being used for the purpose of unsolicited email campaigns.
• Encourage permission-based marketing.
• Respond to all complaints suggesting Canadian Pharmacy has been used as a vehicle to send unsolicited email.

You may not use the Canadian Pharmacy or the products or services provided through or in connection with the Canadian Pharmacy to: a. send unsolicited bulk email, for commercial or non-commercial purposes. Unsolicited bulk email is defined as email sent to more than 10 individuals without their permission."

Canadian Pharmacy takes permission marketing very seriously. Thank you for reviewing our Anti-Spam Policy.

Another interesting pun available on this site is there privacy policy. Here are a few of the humerus lines I found in this policy:

Use of Your Email Information
Canadian Pharmacy is not an email list rental service and does not rent or sell any email addresses or other contact information that you provide.

E-mail and Direct Response Contact
All of our direct response methods are opt-in. If you subscribed to our e-mail newsletter(s) but do not want to receive it in the future, please follow the "unsubscribe" instructions contained in the newsletter(s)

Well that is odd, as I seemed to have just parsed through a few thousand Spam messages generated from the Storm Bot that all pointed to them. I guess policies like these help them seem like a more legit website/company that is actively taking action against unsolicited spam. Just to see what would happen I went ahead and posted a message in their contact us form. I guess they don't appreciative spam either, as they are employing captcha to limit the comment spam bots. They also publish the following email address as their customer support email address: support@canadianmedicationsupport.com. To bad there are no MX or A records being advertised for this domain, so emails will definitely have a difficult time getting to them.

Using passive DNS discovery techniques I was able to identify a few more IP addresses and Domain Names associated with this devious pharmaceutical supplier:

methodproduce.com A 220.162.247.222
pressrose.com A 220.162.247.222
followequate.com A 220.162.247.222
producemorning.com A 220.162.247.222
printlength.com A 220.162.247.222
lowsmell.com A 220.162.247.222
ns3.adverdomain.com A 220.162.247.222
catsharp.com A 220.162.247.222
gladcoat.com A 220.162.247.222
wyd.gladcoat.com A 220.162.247.222
picturewest.com A 220.162.247.222
industrydictionary.com A 220.162.247.222
posestory.com A 220.162.247.222
viagrabest.info A 220.162.247.222
www.viagrabest.info CNAME viagrabest.info

catsharp.com A 61.253.105.133
catsharp.com A 79.135.167.4
catsharp.com A 116.123.47.80
catsharp.com A 220.162.247.222
catsharp.com NS ns2.xinnet.cn
catsharp.com NS ns.xinnet.cn
catsharp.com NS ns1.qw22.com
catsharp.com NS ns2.qw22.com
catsharp.com NS ns3.qw22.com
catsharp.com NS ns4.qw22.com
catsharp.com NS ns2.xinnetdns.com
catsharp.com NS ns.xinnetdns.com

Looks like they have been doing this for sometime now based off all of the IPs and Domain Names listed in the queries. I also noticed that all off these IPs seem to be using Virtual Host configurations, as visiting these sites strictly by IP will get you interesting messages like "It works!" and squid proxy messages. All of these sites are severed by Ngnix web servers. Ngnix web servers seem to be a popular choice for phishing sites, malware serving sites, and now pharmaceutical sites. I should also note the Storm Worm binary serving web servers use this same web server. I won't bore you with whois query results, but I did find it interesting "Wen Fang" seems to be the registrant for all of the domain names being used, along with a few hundred other domain names.

As always if you have any questions or comments regarding this information feel free to contact me anytime and have a nice Memorial Day Weekend!