In the last few weeks I have received several requests for information regarding the Storm Worm.  So today I thought I would perform an analysis in my lab on the last Storm Binary (postcard.exe) I retrieved using my Storm Binary Tracking scripts dated “2008-09-18 18:42:28″ just to see if I could possibly find the answers to some of the questions many of you have asked.  To be perfectly honest and clear I have not seen any spam, DDOS attacks, or Fast Flux domain activity related to the Storm Worm since mid September, so I too am curious as to what has happened to this menace.

During execution of the postcard.exe binary a binary named neos.exe was installed into the “%WINDIR%” accompanied by it’s normal p2p peer configuration file named crock+mock.config.  Immediately following the installation of this new binary the neos.exe process was started, and I was greeted by the normal Storm Worm network traffic to include the p2p udp traffic.  This p2p udp traffic demonstrates how resilient the Storm Worm Trojan really is in that I haven’t seen a new binary in almost a month and yet I was communicating with a few hundred Storm Worm infected hosts.  Being curious to how many peers were listed in the crock+mock.config file I ran my perl decode script used to extract peers from the configuration file which extracted a total of 848 IPs.  The entire peer list can be seen here: peers.txt.  I also submitted the IPs to the whois.cymru.com server to get ASN and country data which can be seen here: peers_asn.txt.  As you can see from the peer files almost half of the hosts reside in the US, 348 to be exact, and that most of the hosts reside on large residential ISP network segments.  So far these stats line right up with everything we have seen associated with the Storm Worm characteristics in the past, which to me is odd since there hasn’t been a new Storm Worm campaign in over a month.

Since it was more of the same for the Storm Worm network configuration statistics I thought I would also check my Storm p2p decryption script to see if the Overnet protocol was still being encrypted with the same xor key.  Sure enough my script decoded the udp p2p traffic and nothing was new here either as I still saw the same old Overnet/eDonkey commands being issued such as Publicize, Publicize ACK, Connect, Connect Reply, IP Query, IP Query Answer, Identify, Identify Reply, Search Info, and Search End.  Since the crock+mock.config script provided me with 848 IPs of peers I decided to see just how many Overnet peers I was actually communicating with during my lab run.  Here is a list of all 1,441 peers that sent me some type of Overnet traffic: overnet_peers.txt and here is the results of my bulk submission to the cymru.com whois server: overnet_peers_asn.txt.  As you can see the US lead the way once again with 353 infected hosts, and RU trailing right behind with 114 infected hosts.

The next thing I noticed in the network traffic was DNS queries for the domain name policy-studies.cn, which is where an old root kit was stored in a past campaign.  This domain name has long been shut down, so I decided to run a faux DNS server script to give my infected lab machine an A record to see what would happen.  After reconfiguring my infected host to perform DNS lookups using my faux DNS server the neos.exe process started requesting a file named getbackup.php. The getbackup.php file was the same rootkit file request seen over a month ago, so I assume this DNS request and file retrieval is hard coded in the neos.exe binary and is not something that was passed to it in a parameter via the Storm p2p network or the TCP control network.

Taking a look at the TCP traffic is where things really got interesting.  Several of the TCP servers were answering my requests with the following reply: “Go away, we’re not home”.  This to me was just plain hilarious and demonstrated to me even in an inactive period for the Storm Worm the authors have one hell of a sense of humor.  Here is a list of all the Storm TCP servers that responded with this intriguing message: goaway_ip.txt and it’s corresponding bulk result from the cymru.com whois data: goaway_ip_asn.txt.  Interesting enough all 18 of these servers were located in two countries the US and Mexico.  I am not sure how relevant or important this is or if it was just a coincidence.  Not all of the TCP servers communicating with my lab box provided this message.  The servers that did not reply with this message simply sent reset packets and stopped the TCP handshake, so these could be patched boxes or cleaned boxes leading me to believe my TCP requests were based off old data residing in the Storm Network and/or Binary.  In an attempt to perform fair analysis here is the list of 50 servers that did not respond with the “Go away” message: tcp_storm_noaway.txt and it’s corresponding cymru.com whois data: tcp_storm_noaway_asn.txt.  These servers are definitely more geographically dispersed over a wide range of countries and ASNs.

So what does all this mean for the Storm Worm?  Well, I am not really sure and can only make guesses as to why we haven’t seen another Storm campaign recently.  My first guess would be that with all the recent data being published on the Storm Worm encryption mechanisms and it’s Double Fast Flux architecture, especially the Black Hat presentation by Joe Stewart in Vegas which may I say was very insightful, that the Storm Authors are making some major changes and have put everything else on hold until these changes can be rolled out into production.  My second guess would be the heat from law enforcement sent them into hiding or laying low for a while.  This second guess could also be combined with the first guess and the authors could be reworking their architecture to get the heat off of them.  My final guess would be the Authors of the Storm Worm made enough money off the surge of campaigns we saw at the beginning of the summer that they really are not home and are off taking a vacation.  Most likely enjoying the spending of all that cold hard cash they earned off the Canadian Pharmaceutical spam, Penny Stock manipulation, and phishing scams we grew so accustomed to seeing.  My final conclusion is that the Storm Worm is currently dead/inactive, but I would not be surprised at all if we saw a new and improved Storm Worm in the coming months.  I think the question isn’t is Storm dead, but more like when will we see it return and what new features or tactics will it have in store for us.

As always if you have any questions or comments feel free to contact me or leave a comment, as they are always welcome and appreciated.

Sorry for the lack of coverage this month, as I have been extremely busy catching up with everything after going to Blackhat and Defcon. Anyways I spent a few hours watching the Storm Worm in my lab last night and this morning and I have identified a few changes since the last time I looked at it. First off the Storm Worm is not using it’s rootkit functionality anymore and the binary installed in the %WINDIR% is now named “neos.exe” with it’s peer hash file being named “crock+mock.config”. The p2p peer hash file contained 857 peers which is right in line with most of the samples I have taken this year. Here is the decoded IP and Port list of those peers found in my sample: peers.txt.

The Storm domain names I have that are still active or more accurately maintain a domain status of “ok”:

• nationwide2u.cn
• worldpostcardart.com
• superlettercard.com
• yourlettercard.com
• freepostcardonline.com
• digitalaudiopostcard.com
• lettercardadvertising.com
• bestlettercard.com
• audiopostcardmail.com
• supergreetingcard.com
• oldpostcardshop.com

None of these domains are resolving right now since their name servers are not answering A record requests at this time. The name servers I could identify are:

• ns.brprbgok6.com 62.33.224.26
• ns2.brprbgok6.com 124.121.82.50
• ns3.brprbgok6.com 201.212.95.89
• ns4.brprbgok6.com 89.109.28.87
• ns5.brprbgok6.com 193.238.128.177
• ns6.brprbgok6.com 74.129.81.83

Interesting enough the brprbgok6.com domain is in a “clienthold” status, so action has been taken against this domain, but that wouldn’t stop the above name servers from answering requests. Another interesting finding is that these name servers have a ttl of 172800, so they are not following the normal double fast flux structure in which the storm worm is famous for. This is not abnormal for the Storm Worm either though as this type of behavior seems to occur at the end of each campaign and can be thought of as a final stage in the limitless transformations of themes that occur. Once the name servers stop participating in the fast flux design you can almost bet on seeing a new theme within a few days. These new themes also seem to start either on Monday or Tuesday mornings, so we will just have to wait and see if this holds true one more time.

I also found that all of the domains listed at the top of this posting except for the older “nationwide2u.cn” were all registered on the same day using the same registrar and registrant information. Here is a copy of the whois record for one of the domains:

Registrar: RegTime.net Limited
Creation date: 2008-08-03
Expiration date: 2009-08-02

Registrant:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Administrative Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Technical Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Billing Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722

The registrar is Regtime.net Limited a Russian ICANN accredited registrar that has been in business since 2001. This is also the first time I have seen the Storm authors use Regtime.net Limited for registering their domains. Hopefully Regtime.net will take action against these domain names soon as the “love/postcard” theme seems to be the fall back theme for Storm when new themes begin to lose effectiveness.

The Storm spam seems to be right inline with the norm with one small exception. This exception is a phishing email that is going out concerning money laundering. Here is a copy of the email message I captured:

Subject: JOB $1800/WEEK – CANADIANS WANTED!
Date: Fri, 15 Aug 2008 16:27:29 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”Windows-1252″;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499

We are looking for canadians who would like to work from home
in an administrative support function for businesses.
Many of our clients are small businesses and executives
who are busy and on the go.

Administrative Assistants can work full or part time.
PART TIME ASSISTANTS must work a minimum of 10 hours per week.

Salary varies between $5,000 to $10,000 per month!

If interested,
get back to me at

hxxp://www.vik-budget.com

thank you

.
QUIT

Following the link in the email message will bring you to a phpBB forum posting dated Thu Dec 02, 2004 8:30 pm with a subject line of “Getting Started!” by the moderator of the forum going by alias “Supplier” with a total of 34 posts on this message board. This all seemed really odd to me as I have suggested in the past that individuals were paying for spam, but why would someone pay for spam on such an old outdated posting? Interesting enough the vik-budget.com domain seems to be utilizing a fast flux design as well rotating out A records every 180 seconds serving up 17 individual IP addresses at a time. Here is a sample dig output just to clarify what I am trying to say:

;; QUESTION SECTION:
;vik-budget.com. IN A

;; ANSWER SECTION:
vik-budget.com. 180 IN A 86.104.87.45
vik-budget.com. 180 IN A 89.33.209.220
vik-budget.com. 180 IN A 93.81.55.7
vik-budget.com. 180 IN A 89.112.76.91
vik-budget.com. 180 IN A 89.47.118.38
vik-budget.com. 180 IN A 91.124.247.62
vik-budget.com. 180 IN A 93.80.234.159
vik-budget.com. 180 IN A 82.179.235.165
vik-budget.com. 180 IN A 79.112.24.125
vik-budget.com. 180 IN A 190.20.206.241
vik-budget.com. 180 IN A 92.100.98.229
vik-budget.com. 180 IN A 89.45.24.174
vik-budget.com. 180 IN A 92.100.21.65
vik-budget.com. 180 IN A 89.178.231.167
vik-budget.com. 180 IN A 81.181.112.38
vik-budget.com. 180 IN A 69.144.198.226

I went ahead and searched all of these IP addresses against ~180,000 archived IP addresses I have identified in the last six months that may have been associated with the Storm worm at some point in the past. The only one that returned a match against my database was “69.144.198.226″, so I don’t think this phishing phpBB site is operating on the Storm fast flux network, but I could be wrong. The name servers are also different for this phishing domain, so again I don’t think it is operating on the Storm fast flux network. Here is a list of the name servers for vik-budget.com:

• NS1.VIPSAM.COM
• NS2.VIPSAM.COM
• NS3.VIPSAM.COM
• NS4.VIPSAM.COM

One really cool discovery I had concerning these name servers is they seem to be riding a fast flux network using a ttl of 180 seconds at first, but when that initial ttl expires a new ttl of 172800 is seen and the A record changes to a new IP address. Very odd stuff here, so I dug into the VIPSAM.COM domain and found it no longer resolves, but was used back in July to point to another online pharmaceutical site titled: “Online Pharmacy”. This seems to be another very active and large pharmaceutical spam participant with 70 other domain names currently resolving to this host and at least 63 other hosts sharing it’s name servers. Here is a screen shot of this pharmaceutical company website to give you an idea of what it currently looks like:

As you can tell this was all very odd to me, and was actually the first time I was lead to an online pharmaceutical spam site from a money laundering phishing site. I can’t say the two are owned and operated by the same person or organization, but only linked by name servers and shared hosting. I will let you be the judge of that.

Now getting back to the vik-budget.com phishing forum site. Here is a screen capture of the forum post that is presented by following the link in the Storm spam message:

So as you can see it looks like a money laundering scheme in which the poster claims this to be good and legal way of making money. I am not a layer or agent of the law, but this just doesn’t seem like it would be a good and legal way of making money. So I did a little digging and found this exact forum structure to include identical forum content could be found on other domains such as hdd-manager.com, WCA-Manager.com, xrs-capital.com, and can-budget.com. With all of the content being identical I would venture to say this is most likely a phpBB template in which the phisher simply changes the domain name and it modifies everything inside the forum to reflect this change such as his or her email address. Looking into the whois records for these sites all 4 domains hdd-manager.com, wca-manager.com, xrs-capital.com, and can-budget.com were created on March 11, 2008 with matching information registrant information. Here is an the whois record for wca-manager.com:

Domain Name………. WCA-Manager.com
Creation Date…….. 2008-03-11 10:22:01
Registration Date…. 2008-03-11 10:22:01
Expiry Date………. 2009-03-11 10:22:01
Organisation Name…. xiaowen
Organisation Address. No.12 chang’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. gr wen
Admin Address…….. No.12 chang’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 3498@34.com
Admin Phone………. +86.103093034
Admin Fax………… +86.103493934

Tech Name………… gr wen
Tech Address……… No.12 chang’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 3498@34.com
Tech Phone……….. +86.103093034
Tech Fax…………. +86.103493934

Bill Name………… gr wen
Bill Address……… No.12 chang’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 3498@34.com
Bill Phone……….. +86.103093034
Bill Fax…………. +86.103493934
Name Server………. ns4.nsi-centre.com
Name Server………. ns3.nsi-centre.com
Name Server………. ns2.nsi-centre.com
Name Server………. ns1.nsi-centre.com

Now the whois record for vik-budget.com wasn’t an exact match, but I am sure you can spot the similarities between the two:

Domain Name………. vik-budget.com
Creation Date…….. 2008-07-23 17:34:04
Registration Date…. 2008-07-23 17:34:04
Expiry Date………. 2009-07-23 17:34:04
Organisation Name…. xiaowen
Organisation Address. No.12 chan’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. xiaowen
Admin Address…….. No.12 chan’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 232@242.com
Admin Phone………. +86.102092094
Admin Fax………… +86.102482940

Tech Name………… xiaowen
Tech Address……… No.12 chan’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 232@242.com
Tech Phone……….. +86.102092094
Tech Fax…………. +86.102482940

Bill Name………… xiaowen
Bill Address……… No.12 chan’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 232@242.com
Bill Phone……….. +86.102092094
Bill Fax…………. +86.102482940
Name Server………. ns4.vipsam.com
Name Server………. ns3.vipsam.com
Name Server………. ns2.vipsam.com
Name Server………. ns1.vipsam.com

I also did so checking into the ICQ number which seems to be legitimate: supplier, I didn’t try contacting this person for some social engineering, but I sure thought about it. I believe this to be the administrator or operator behind this scam as his ICQ number is the only thing that never changes in this template. In my digging I also ran across a post at scamfraudalert.com where an administrator posted this same email template under the work-at-home scam section of their forums back in July: scamfraudalert.com posting. A little more Google magic and I was able to uncover even more information about this money laundering scam which seems to have been around for over a year now: forum.419eater.com cs-funds and forum.419.com lvs-money.com.

The last thing I noticed in regards to the vik-budget.com domain was it was currently being hosted on the same host as these two PhishTank reported phishing sites: hsbc.update.citapedor.com, and update.citapedor.com, which were phishing sites targeting the HSBC bank back in mid July as far as I can tell. Could this be the same phisher? Well I will let you be the judge again by simply posting the whois record for citapedor.com:

Domain Name………. citapedor.com
Creation Date…….. 2008-07-10 20:19:29
Registration Date…. 2008-07-10 20:19:29
Expiry Date………. 2009-07-10 20:19:29
Organisation Name…. xiaowen
Organisation Address. No.12 chan’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. xiaowen
Admin Address…….. No.12 chan’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 232@242.com
Admin Phone………. +86.102092094
Admin Fax………… +86.102482940

Tech Name………… xiaowen
Tech Address……… No.12 chan’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 232@242.com
Tech Phone……….. +86.102092094
Tech Fax…………. +86.102482940

Bill Name………… xiaowen
Bill Address……… No.12 chan’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 232@242.com
Bill Phone……….. +86.102092094
Bill Fax…………. +86.102482940
Name Server………. ns2.godns1334.com
Name Server………. ns1.godns1334.com
Name Server………. ns3.godns1334.com
Name Server………. ns4.godns1334.com

So if your seeing what I am seeing I would be fairly certain this is the same person or organization responsible for the past phishing attempts. I just have to wonder why they would use the same false information to register domains. If any of this really interests you I would suggest Googleing using these suggested strings: “No.12 chang’an road”, “xiaowen phisher”, and “Organisation Name xiaowen” which should provide you with an overall picture of just how long this phisher has been around and just how many different types of phishing scams this phisher has attempted with out being caught to include ebay, paypal, facebook, linkedin, and numerous financial institution phishing sites. With unique whois records being the center of my little investigation it is almost dumbfounding to think we can’t put a stop to at least this one individual or organization.

The only other spam I saw coming out of the Storm worm was the normal Pharmacy express and Canadian pharmacy stuff. I have noticed the Canadian Pharmacy spam is riding a little more complex fast flux network and makes up about 75% of all the spam coming from Storm Worm infected hosts. Here is a list of the domain names I captured during this analysis:

• areatry.com
• boardcow.com
• boughttool.com
• claimtie.com
• drawbe.com
• groupyellow.com
• pitchinclude.com
• presentalso.com
• probablewide.com
• whetherthus.com

Here is a sample dig query against one of the domains “areatry.com”:

;; ANSWER SECTION:
areatry.com. 120 IN A 89.139.42.151
areatry.com. 120 IN A 89.142.143.19
areatry.com. 120 IN A 89.169.184.21
areatry.com. 120 IN A 91.66.127.14
areatry.com. 120 IN A 118.168.25.176
areatry.com. 120 IN A 210.194.144.198
areatry.com. 120 IN A 213.211.44.132
areatry.com. 120 IN A 218.171.174.108
areatry.com. 120 IN A 218.190.85.230
areatry.com. 120 IN A 59.188.130.110
areatry.com. 120 IN A 61.224.205.217
areatry.com. 120 IN A 69.66.219.190
areatry.com. 120 IN A 75.139.130.32
areatry.com. 120 IN A 77.41.88.195
areatry.com. 120 IN A 77.127.162.69
areatry.com. 120 IN A 79.164.122.160
areatry.com. 120 IN A 79.172.80.138
areatry.com. 120 IN A 85.250.12.186
areatry.com. 120 IN A 85.250.27.81
areatry.com. 120 IN A 89.110.48.125

;; AUTHORITY SECTION:
areatry.com. 163448 IN NS ns1.er909erede.com.
areatry.com. 163448 IN NS ns1.ijekrii9.com.
areatry.com. 163448 IN NS ns0.er909erede.com.
areatry.com. 163448 IN NS ns0.ijekrii9.com.

As you can clearly see the ttl is 120 seconds and 20 A records are severed up as available for each look up. This is definitely more complex than the pharmacy express spam.

The pharmacy express spam domains I discovered during this run were:

• denvermedicaldoc.sg
• doctordoctorlist.sg
• funmedicaldoctor.sg
• medicaldoc.sg
• medspecialist.sg
• medvisiondoctor.sg
• medwaydoc.sg
• ozmeddoc.sg
• yourrecoverydoc.sg

These domains are also riding on a fast flux network, but only serve up one new A record every 5 minutes. Here is the output for my dig command for the “ozmeddoc.sg” domain:

;; ANSWER SECTION:
ozmeddoc.sg. 590 IN A 204.95.101.99

Don’t get the wrong idea here I am not saying the Pharmacy Express site/domain is any less of a threat or nuisance than the Canadian Pharmacy site/domain, but what I am saying is the fast flux design is simplified for the Pharmacy Express when compared to the Canadian Pharmacy design.

Running the Storm Worm tonight in my lab uncovered some new Storm Domain names to go along with the new “FBI vs Facebook” theme. Here is a list of these new domain names:

• BestValueNews.com
• CompanyNewsNetwork.com
• FedNewsWorld.com
• GoodNewsGames.com
• SmartNewsRadio.com
• StockLowNews.com
• ToplessDailyNews.com
• ToplessNewsRadio.com
• WapDailyNews.com

I would recommend going ahead and adding these domains to any blacklists or content filters you may have to keep your users from falling victim to the Storm Worm social engineering attempts. These domains were all extracted from Storm Worm generated spam. The following 41 unique subject lines pertaining to the new “FBI vs Facebook” theme were seen during this short lab run:

• F.B.I. Facebook Records
• F.B.I. Looks Into Facebook
• F.B.I. Watching Hezbollah in Facebook
• F.B.I. Watching Possible Terrorists on Facebook
• F.B.I. agents patrol Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• F.B.I. bypasses Facebook to nail you
• F.B.I. can watch our conversation through Facebook
• F.B.I. may strike Facebook
• F.B.I. on the Hunt for Facebook users
• F.B.I. tries to fight Facebook
• F.B.I. wants instant access to Facebook
• F.B.I. watching us
• F.B.I. watching you
• FBI Facebook Crime Survey
• FBI Facebook Records
• FBI Looks Into Facebook
• FBI Watching Hezbollah in Facebook
• FBI Watching Possible Terrorists on Facebook
• FBI agents patrol Facebook
• FBI are spying on your Facebook profiles
• FBI busts alleged Facebook
• FBI bypasses Facebook to nail you
• FBI can watch our conversation through Facebook
• FBI may strike Facebook
• FBI on the Hunt for Facebook users
• FBI tries to fight Facebook
• FBI wants instant access to Facebook
• FBI watching us
• FBI watching you
• Facebook Coming Under F.B.I. Scrutiny
• Facebook Coming Under FBI Scrutiny
• Facebook’s F.B.I. ties
• Facebook’s FBI ties
• Get Facebook’s F.B.I. Files
• Get Facebook’s FBI Files
• The F.B.I. has a new way of tracking Facebook
• The F.B.I.’s plan to “profile” Facebook
• The FBI has a new way of tracking Facebook
• The FBI’s plan to “profile” Facebook

The message content for the above subjects are very simple and short. Here are a few of the unique message bodies I extracted from my faux smtp server logs: (NOTE: hxxp://stormdomain_name is my substitution for one of the Real Storm Worm domain names listed at the beginning of this post)

• F.B.I. Watching Hezbollah in Facebook hxxp://stormdomain_name
• F.B.I. on the Hunt for Facebook users hxxp://stormdomain_name
• FBI Looks Into Facebook hxxp://stormdomain_name
• FBI may strike Facebook hxxp://stormdomain_name
• FBI watching you hxxp://stormdomain_name
• Facebook’s FBI ties hxxp://stormdomain_name
• The F.B.I.’s plan to “profile” Facebook hxxp://stormdomain_name

You can look at all 41 unique message content here: fbi_messages.txt.

This wasn’t the only spam being pushed out of the Storm botnet, as I also caught the following 21 Domain Names being used to push pharmaceuticals from the Canadian Pharmacy:

• abilityhear.com
• allhipguide.eu
• besthiptop.eu
• brickautoship.eu
• compassionvery.com
• definitionwonder.com
• greathipx.eu
• hilllocate.com
• hipsurgeryonline.eu
• hiptoguide.eu
• hipworldhop.eu
• majorwrite.com
• rapsharp.eu
• realizationthere.com
• reciprocityby.com
• storeever.com
• trendyslick.eu
• werecourage.com
• wisdomby.com

Here are a few of the unique subject lines I extracted from the spam messages associated with the above domain names:

• 10 reasons to take enhancing medicaments.
• A small thing to make your woman happy.
• Agree to be sick! Noway!
• Bad health report? Consult us.
• Better living through Canadian chemists.
• Canadian doctors we trust.
• Canadina chemists help you save 90% on medical bills.
• Docs approve and recommend online Canadian Chemist.
• Excellent effect on your condition.
• In Canadian Chemist we trust.
• New products everyday, online chemists where you can find a good source foryour needs.
• Over 20000 products for health and beauty online.
• Summer is on the way, do not forget of all requred-tabs.
• The widest e-assrtment of medicaments.

All 560 unique subject lines can be seen here: spam_subjects.txt. I would recommend updating any of your spam filters to filter the above domains and if possible the above subject lines.

Another note of interest in regards to the Storm Botnet is it seems to be actively performing ICMP DDoS attacks again. During my lab run I saw the following 4 IP addresses being attacked:

• 62.189.182.xxx
• 74.192.224.xxx
• 79.41.125.xxx
• 201.214.13.xxx

These attacks seemed to be very short lived lasting ~20 minutes in comparison to some of the attacks that would last for hours and sometimes days from the Storm Botnet. My guess is these attacks were in retaliation to probes on the botnet or web crawlers indexing the botnet to aggressively. I have been on the receiving end of these attacks in the past. What I found to be the cause was being to aggressive at trying to probe the botnet or retrieve the binary files being hosted by the web proxies. So a word of warning/advice to all researchers and security analysts “be gentle” when dealing with this botnet or you too could come under attack.

A new Storm Campaign has been identified by my binary tracker this morning around 8am Central Standard Time. This new campaign is titled: “FBI vs Facebook” and is most likely another attempt at using current news events to trick users into installing the newest Storm Worm Trojan. I did a quick Google News search and found several headlines within the last two months relating to the FBI using Facebook to profile people, and also the US congress using FBI investigation findings to support a new Bill that will ban children from accessing Facebook and other social networking sites in public places such as libraries without parental supervision. The web page is very simple:

There is really only one interesting modification that has taken place with the release of this new theme which can be seen in the source code for the web page:

As you can see the “ind.php” is no longer being included as an iframe, so either the authors were not benefiting from the exploits being executed or it was simply an oversight mistake when they deployed this new theme. Either way it benefits us, as it is one last thing we have to worry about when a user visits this page.

The VirusTotal results regarding the new “fbi_facebook.exe” binary are not outstanding, but we have some identification for the Storm Worm Trojan: Result: 18/35 (51.43%)

I guess the Amero and the Domain Name outages just weren’t working out for the Storm Authors, as they have shifted back to an old theme. The message is simple:

You’ve got an animated postcard from someone who loves you.
Click here to save the postcard.

Nothing new here as they have played the “love” theme before. The “ind.php” javascript obfusticated exploit serving file is still included as an iframe redirect, so be-aware of this. My only major concern with this new/revisited campaign is the new binary has a very little Antivirus Vendor detection rate: Result: 8/35 (22.86%). I have not seen any new domain names or spam associated with this change, but my guess is tonight when I take a deeper look at it in the lab I will be greeted with these changes.

Looks like my prediction on the Storm Worm authors changing their theme within the coming days has just been confirmed. The newest Storm Worm Social Engineering theme is “Currency Based”, focusing on on the financial strains/concerns many Americans are facing now. The message is simple and to the point:

The U.S. Government began to realize the plan to replace the Dollar with the “Amero”, the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

The adaption of a common currency named “Amero” for the North American Continent is not a new concept and does currently have some active supporters. Wikipedia has some solid information about the Amero here: North American currency union . Another interesting site I stumbled upon while looking for information on the “Amero” is “The Amero”, you can form your own opinion about the site.

Here is a current screen shot of the Storm Web page hosting up the newly named binaries:

This new Currency theme is only hosting one binary named: “amero.exe” and the same old javascript obfusticated exploit file “ind.php”, as you can see in the new webpage source code:

I have not seen any new spam pushing this new campaign yet, but I would suspect new spam and new Fast Flux domain names surfacing within the next 48 hours. I guess only time will tell.

This isn’t the first time the authors of the Storm Worm Trojan used a rootkit to hide it’s presence on user’s computers, and frankly I was really shocked when they had stopped including this functionality several months ago. So low and behold today when I decided I would capture a little spam from the Storm Worm I was greeted with it not wanting to install and execute in sandboxie, which is a sandbox application that allows me to detect file system changes and other things fairly easily. I immediately checked the sandboxie file viewer which revealed two files being created: “glok+1cbe-49e9.sys” and “glok+serv.config” in the %WIN% directory. Nothing really new in creating the Storm binary and peer list files in the %WIN% directory, as this has always been the case for as long as I have been tracking the Storm Worm.

Since I could not get the Storm Worm to execute in sandboxie, I went ahead and let it infect my VM host without the protection mechanisms provided by sandboxie. Interesting enough I immediately saw network traffic going to my faux time server from the infected VM host, which is normal as well since the Storm Worm Trojan changes your NTP server to: time.windows.com to ensure it’s hosts are synced. The only reason my infected host hit my faux NTP server is I use a faux DNS script as well to ensure all DNS queries resolve to my all-in-one faux server with multiple services being available to facilitate my Malware investigations safely. My infection was definitely confirmed when I started seeing the extremely aggressive amount of UDP packets the Storm Worm Trojan generates using the Overnet protocol to talk with it’s peers.

My next step was to check the process explorer to see if I had any new processes running. This is when I began to expect a rootkit was involved, as I had no new processes executing according to the windows process explorer, tasklist, pstasklist, or the sysinternals process explorer. Next check was to look in the %WIN% directory to see if the two files were visible, and of course they were not. I tried using the dir command, and also looking at them through windows explorer. Now to confirm this was a rootkit I ran a few rootkit detection tools.

The first tool was RootkitRevealer, which had no problems identifying the rootkit files being hidden from the Windows API calls. Here is a screenshot of my results:

As the screenshot shows the Storm Worm authors have definitely reinitiated the rootkit functionality. Next I tried F-Secure’s Blacklight rootkit tool, which identified the two Storm Worm Trojan Files as well.

I should also note that IceSword, and RKDetector2 were also successful at detecting the rootkit installed by the Storm Worm. Now that I have identified that the Storm Worm is actually installing a rootkit and it wasn’t some sort of mistake on my part a more in depth analysis will need to be performed on the binary. That of course I will leave for another day. I should also note that the F-Secure Blacklight rootkit eliminator was successful at removing the Storm Worm’s rootkit, which is good news if your a user or system administrator looking to get rid of this. Just remember to go back into the %WIN% directory after renaming the files with blacklight to delete the binary and configuration text file forever, as you don’t want someone to come behind you and reinfect the computer. One last note about the binary is the Virus Total Results were 15/33 (45.46%), which is about average for detecting the Storm Worm Binary by the major AV companies.

Since this run was to take a peek at what the Storm Worm spam was doing here are the domain names I captured during this run:

• advancedcaremedical.eu
• americanmedicalguide.eu
• costappreciation.com
• dadreciprocity.com
• medicalhealthdeath.eu
• medicaljobsgroup.eu
• medicalworldinc.eu
• medicalworldlink.eu
• spiritualitycondition.com
• themedicalmarket.eu
• toldthere.com
• treefinal.com
• wellnesssurgical.eu
• womenmedicalcenter.eu

I couldn’t get any of these pages to load when I tried tonight, but looking at the actual spam messages and subject lines I would assume these are Canadian Pharmaceutical websites, which makes up the majority of spam generated by the Storm Worm. Here are a few subject lines I found in the spam messages:

• Subject: 10 reasons to take enhancing medicaments.
• Subject: A better way to give up smoking.
• Subject: Ancient greeks used this to treat their male problems.
• Subject: Ancient greeks used this to treat their male problems.
• Subject: Bring more joy to your life, get a bluepill!
• Subject: GLobal potence ensurer!
• Subject: Have perfect health in an imperfect world.
• Subject: Join the biggest community of man that cured their male intimate problems
• Subject: No need to visit a doctor again to get medications you need.
• Subject: VPXL from Canadian Chemist. Your ultimate enhancing solution.
• Subject: Unbelievably healthy living, come to Canadian Chemists’ site to claim it

Here is the complete list of unique subject lines I captured this afternoon: subjects_spam.txt.

With the return of the Storm Worm Rootkit functionality, the stagnated Military Theme, and over half of the current Storm Worm domain names being shutdown I would anticipate a new theme/campaign to be arriving in our spam folders within the coming days. This new run could possibly be worse than others with the added functionality of the rootkit and users dismissing a Storm Worm install, because they can not readily see the infection or process running. Good thing is, if your reading this you probably know better by now.

As always if you have any questions or comments in regards to my posting feel free to send me an email or post a comment. I am always glad to hear from you good or bad.

Looks like the Authors of the Storm Worm have started to spam out phishing emails to our inboxes, so be ready tomorrow morning to warn your users. The following domain names are being used as the phishing sites (caution as these are also malicious sites):

• accounts.digitallnsight.net/onlineserv/CM/
• digitalinsight.bankdata1.com/onlineserv/CM/
• digitalinsight.bankdata1.net/onlineserv/CM/
• digitalinsight.bankdatacentral.com/onlineserv/CM/
• digitalinsight.bankdatacentral.net/onlineserv/CM/
• digitalinsight.cmcenter.net/onlineserv/CM/
• digitalinsight.ebanking-network.com/onlineserv/CM/
• digitalinsight.secure-processor.net/onlineserv/CM/
• digitalinsight.secure-server3.com/onlineserv/CM/

These domains were all live links embedded in the body of the spam messages. Here is the actual spam message being sent:

Subject: Read carefully – Important Notification

Dear Administrator,

We inform you that your account is about to expire.
It is strongly recommended to update it immediately. Update form is located &<a href=”hxxp://digitalinsight.bankdata1.com/onlineserv/CM/”>here.
However, failure to confirm your records may result in account suspension.

Confidential: Please be advised that the information contained in this email
message, including all attached documents or files, is privileged and
confidential and is intended only for the use of the individual or individuals
addressed. Any other use, dissemination, distribution or copying of this
communication is strictly prohibited. This is the automated message. Please
don’t reply.

Unlike most other spam phishing attempts this particular version is really well laid out and designed in such a way that I am sure many users will be fooled into visiting these sites. The actual phishing page looks like this:

This is a very basic looking page asking for the users Company ID, Company Password, User ID, and User Password. Also notice the notice in red tells the user to use their Financial Institution login page for future maintenance. I am guessing the notice is just an additional touch to aid in the Social Engineering going on here. All of this seems to be standard stuff, but wait there is an iframe reference that caught my eye right away. The iframe path is:

hxxp://xx.xx.xx.xx/cgi-bin/index2.cgi?lite

The IP is rotated with every query, so it isn’t as simple as adding an IP block to protect your user base. This iframe leads to none other than some deeply obfusticated JavaScript code. I used Bobby’s Malzilla tool for the deobfustication, which can be downloaded here: Malzilla. I highly recommend checking this tool out and if you like it throw Bobby a bone or two by donating to his project, as he has spent many hours adding the features upon request from the community.

Ok, back to the Phishing stuff, in this PDF you will find the complete deobfustication of this iframe redirection: badness_storm_phish. Now this really struck me as odd, but this script decodes exactly like the “ngg.js” SQL Injections flooding the internet right now. Even the binary is the same to include the selection if/else logic used in the code to choose your binary. So does this mean the Storm Worm Authors can now be traced over to some of the SQL injection stuff being tracked so well over at ShadowServer.org: Full list of Injected Sites. I can’t confirm this trace back, but it is definitely the same obfustication being used by the “ngg.js” stuff. So either it is the same organization, or the SQL injection organization is now paying the Storm Worm authors to distribute Spam for them. Who really knows, as I am just guessing here. One other idea would be the SQL injections work on the phishing sites, but I really don’t think that is the case here.

The binary being downloaded after all the iframe redirection badness occurs is fairly well detected by the mass majority of Antivirus companies, which is a good thing. Here is a link to my scan results: Result: 21/33 (63.64%). I didn’t run the binary in my lab, but it looks like it is either a proxy bot or a spam bot according to the Virus Detection results.

The rest of the spam I captured tonight during this lab run involved the same old Canadian Pharmaceutical links, with the same old subject lines. Here is a list of the domains involved in that portion of the spam:

• advancedcaremedical.eu
• americanmedicalguide.eu
• childrenseparate.com
• happenhalf.com
• lottube.com
• maysection.com
• medicalhealthdeath.eu
• medicaljobsgroup.eu
• medicalworldinc.eu
• medicalworldlink.eu
• needcertain.com
• nowcarry.com
• prepaream.com
• themedicalmarket.eu
• thoughgrand.com
• valleyearth.com
• wellnesssurgical.eu
• womenmedicalcenter.eu
• yellowyear.com

Some of these domains are new to my lists, so if you don’t have them in your blacklists or content filters I would add them now as well.

To finish out tonights post here is my entire Spam capture log for all of the above just in case your interested: smtplogs.txt. As always if you have questions or comments feel free to ping me anytime.

I ran the Storm Worm in my lab again tonight with no real surprising results to be found. It seems as though the Storm Worm authors are having issues keeping their Military theme going with Registrars taken action against their domain names. I saw no spam leaving the Storm Worm tonight pertaining to the domains related to their Web Servers hosting out malicious code and Storm Worm binaries. This is good news, but I believe this is just a short lived break as the Authors of the Storm Worm ramp up for their next campaign with new domain names and possibly modified theme. My guess is within the next few days or at the latest within a week we will see something new from them. The following domains seem to still be actively pointing towards Storm Worm web servers:

• cadeaux-avenue.cn (Registrar: BIZCN.COM, INC.)
• polkerdesign.cn (Registrar: BIZCN.COM, INC.)
• lovelifecash.com (Registrar: BIZCN.COM, INC.)
• bphostdomains.com (Registrar: BIZCN.COM, INC.)
• grupogaleria.cn (Registrar: BIZCN.COM, INC.)
• nationwide2u.cn (Registrar: BIZCN.COM, INC.)
• activeware.cn (Registrar: BIZCN.COM, INC.)

So as you can see “Registrar: BIZCN.COM, INC.” seems to be very slow at reacting to requests to take action on the above domains. I can only hope their processes speed up and they too take action soon. Here are the current active Name Servers being used by the above domains:

• ns.bphostdomains.com
• ns2.bphostdomains.com
• ns3.bphostdomains.com
• ns4.bphostdomains.com
• ns5.bphostdomains.com
• ns6.bphostdomains.com
• ns2.verynicebank.com
• ns1.lollypopycandy.com
• ns2.lollypopycandy.com
• ns1.verynicebank.com
• ns3.likethisone1.com
• ns4.likethisone1.com

If you have any type of DNS black holing or content filtering capabilities I would recommend leaving these domains blocked/filtered.

All of the spam I captured in my sandnet tonight was Pharmaceutical related pointing to the online store “Pharmacy Express” which is well documented on the Spam Trackers spamwiki: Pharmacy Express Info. I captured a total of 6,581 spam messages during my run add was able to parse out the following domain names being used within the spam messages body:

• advancedcaremedical.eu (Registrar: OnlineNIC Inc)
• americanmedicalguide.eu (Registrar: OnlineNIC Inc)
• medicalhealthdeath.eu (Registrar: OnlineNIC Inc)
• medicaljobsgroup.eu (Registrar: OnlineNIC Inc)
• medicalworldinc.eu (Registrar: OnlineNIC Inc)
• medicalworldlink.eu (Registrar: OnlineNIC Inc)
• themedicalmarket.eu (Registrar: OnlineNIC Inc)
• wellnesssurgical.eu (Registrar: OnlineNIC Inc)
• womenmedicalcenter.eu (Registrar: OnlineNIC Inc)

Out of the 6,581 spam messages I captured I identified 662 unique Subject lines. You can see all of these subject lines here: Storm Spam Subjects.txt. Here are a few extracts just in case your not interested in all 662:

• Subject: Bring more fun to your xxxlife!
• Subject: Do you like wild nights?
• Subject: Dont let sickness spoil your vacation.
• Subject: Experience more pleasure from perfect intimate living.
• Subject: Get back to slim shape again.
• Subject: If good health is what you really need, then its time to visit canadian chemists.
• Subject: Leading supplier of Canadian chemists in now available for you.
• Subject: Online Canadian Chemist – we care about Your Health!
• Subject: Some helpful information on weight losing products.
• Subject: The largest network of i-chemists.
• Subject: Want to act like that Ppornstar from the movie u watched yesterday?
• Subject: quicker,safer,cheaper online chemiststore

These seem to be the standard type of subject lines we have grown accustom to in our spam folders brought to you directly by the Storm Worm authors and our online Canadian pharmacists. My full spam log can be viewed here: smtpspamlog.txt.

The “I Kill Spammers” blog has posted a rant on these subject lines and messages here: “Storm of Stupidity“. To me it is a humorous read, and I have to give the blog props for linking to my good buddies over at MalwareDomainList.com. If you have not visited MalwareDomainList.com you should go give it a once over, as it has a large collection of searchable Malware Domain Names and Malware server indexes. This site isn’t for everyone, but if your a Security Researcher or a Security Hobbyist there is a wealth of information available to you. Well I believe I have done enough promoting of other sites tonight, as always if you have any questions or comments feel free to contact me.

I had some spare time this afternoon, so I decided to update the web interface to my Storm Tracker Database. I hope everyone finds these changes useful, as I have include several correlated data displays in an attempt to make researching the Storm Web Proxies and Binaries I have harvested a little easier and user friendly. I personally have performed most of these queries on my dataset offline, but was to lazy in the past to create a web front end for them. In addition I have also included in these new data views embedded hyperlinks that allow you to drill down on different datasets faster.

I do have some ideas for some future enhancements such as Spam tracking, Domain Name tracking, Name Server Tracking, Web Page Tracking, and a possible peers dataset. I can’t guarantee I will ever implement any of the above, but they do sound useful.

If any of you have any enhancements or data views you would like to see or think would be useful feel free to contact me with the details, as I will take them into consideration when I decide to revamp the Storm Tracker again.