After seeing the binary change to almost completely undetectable by all antivirus applications I thought it would be a good time to run it in my lab again. I must say I was not disappointed in this new run as I was able to witness some new characteristics of the Storm Worm along with some new spam messages being generated.

The first instance of spam I want to discuss is the Penny Stock being pushed by the Storm Worm right now. The company being targeted by this is MINDPIX a production and media company that has also developed some type of fitness equipment. This company seems to be a target and not a participant in these spam messages as the CEO David Ballif has released this official announcement on July 1st. As requested in his statement I have emailed them what I am aware of and wish them the best of luck in getting this issue resolved. Here are a few examples of the messages being sent out pertaining to this company:

So much. advanecment lately

Symbol: MPIX.”PK
Name: Mind Pix Corp.
At tihs time: 0.02,5

T,his stock will go up, up! Don’t miss your chance!

Move fast buy ,mpix

The demand is there for MPIX

Symbol traded: mpix
OTC:mpix.pk
Tuedsay close: 2..5 cents

I can not stress the timing en,ough, it is _now.

Get onboard

The next portion of the spam I captured was for the normal two Pharmaceutical companies: “Pharmacy Express” and “Canadian Pharmacy”. The Storm Worm is pushing the same old discount prescription drugs we have grown use to seeing and with that here is a list of the unique domain names I parsed out of the logs that point to these two companies:

• bestphysiciangood.eu
• childrenseparate.com
• doctorbutgood.eu
• doctorfeelgoodphd.eu
• doctorgoodsite.eu
• doctorleasegood.eu
• greatmedicgood.eu
• happenhalf.com
• lottube.com
• maysection.com
• medicgooddirect.eu
• medicgoodguide.eu
• needcertain.com
• nowcarry.com
• prepaream.com
• surgeongood.eu
• thoughgrand.com
• valleyearth.com
• yellowyear.com

All of these domains are using wildcard sub domain A record resolutions, so they are able to resolve any sub domain enabling them to randomize there spam messages like this:

Best prices for licensed cures on the internet.
hxxp://vijai.bestphysiciangood.eu

Necessary chnages in your xxxlife. hxxp://euhni.doctorgoodsite.eu

The third and last portion of the spam I observed was dealing with the new “Military Theme” the Storm Authors implemented earlier today. Here are the domain names I parsed out of the spam messages pertaining to this theme:

• dailydotnews.com
• dotdailynews.com
• morenewsonline.com
• newsworldnow.com
• statenewsworld.com

The message bodies for these emails look like this:

USA occupeid Iran hxxp://dotdailynews.com/

The World War III has already begun hxxp://dotdailynews.com/

As you can see they are focusing on the rising tension between the US and Middle East as a tool to increase their success rate for infections.

I didn’t split these messages up into individual files, so here is a list of all 777 unique Subject lines including all three campaigns described above: unique_subject_lines.txt. If you want to see the entire log your in luck and can download it here: spamlog.txt.

The final observation I made during this lab run was four more IP addresses being Attacked with ICMP DDoS packets. Here are the IPs that were targeted:

• 200.142.97.194 ( correio.gpnetrj.com.br )
• 216.213.5.111
• 24.147.98.16 ( c-24-147-98-16.hsd1.ma.comcast.net )
• 67.195.37.166 ( llf320044.crawl.yahoo.net )

These attacks were consistent with the ICMP echo-request attacks I observed in yesterdays lab run in that they only lasted ~30 minutes and seemed to rotate through with no particular pattern, which has drawn me to the conclusion that the Storm Worm retaliation/defensive techniques are back. So it your a researcher be careful while doing your research as you may be on the receiving end of a nasty ICMP DDoS attack before you know it.

As always if you have any questions or comments feel free to contact me.

With the conclusion of the 4th of July weekend occurring, the Authors of the Storm Worm have changed their theme as well focusing on a “Military Theme” titled “Military News”. Here is a snapshot of the current Storm Worm web page:

As you can see the Storm Worm Authors are focusing in on the recent tensions heightening in the Middle East between the US and IRAN. With IRAN threatening to burn Tel Aviv in response to any US attacks on their Nuclear facilities, and the strains caused by the constant oil prices sky rocketing this is almost the perfect theme to infect many US citizens just looking for current news. If I had to guess I would say this theme will be one of the more successful campaigns just because of timing and a well thought out design. Even the banner looks extremely well thought out and designed. I really don’t see any obvious mistakes with this theme. Here is a copy of the html source code for the page:

Taking a look into the source code reveals that clicking the well designed banner the user will download the binary named: “form.exe”. If the user clicks either the fake media player image or the “on the video” hyperlink they will download the binary named: “iran_occupation.exe”. Both of these binaries are the Storm Worm trojan just waiting to turn the users computer into a spamming maniac or a web proxy host severing other unsuspecting hosts with this web page. You will also notice the standard “ind.php” iframe src inclusion will be loaded on every visit behind the scenes. This file has been included in the Storm Worm’s exploiting techniques for a few months now, and is the same file containing 9 well documented exploits we have grown do accustomed to seeing still heavily obfuscated with JavaScript.

Another major issue that will be driving the Antivirus Companies insane is that there was practically no detection of these new binaries. Here are my VirusTotal Results for the 2 binaries: form.exe Result: 3/33 (9.1%) and iran_occupation.exe Result: 3/33 (9.1%).

I may follow this posting with an update once I have had a chance to analysis these new binaries and run them in my lab. More to come I am sure.

UPDATE: Here is a list of new Storm Worm Domain names I discoverd right after posting this:

• statenewsworld.com
• morenewsonline.com
• dailydotnews.com
• dotdailynews.com
• newsworldnow.com

Looks like the Storm Worm has taken up DDOS ICMP attacks again, as tonight’s lab run revealed the following IP addresses being attacked:

• 118.160.208.250 (118-160-208-250.dynamic.hinet.net)
• 67.195.37.166 (llf320044.crawl.yahoo.net)
• 76.98.44.10 (c-76-98-44-10.hsd1.pa.comcast.net)
• 207.206.148.78 (gump.lashback.com)
• 61.229.224.181 (61-229-224-181.dynamic.hinet.net)
• 67.195.37.190 (llf320059.crawl.yahoo.net)
• 201.223.161.134 (134-161-223-201.adsl.terra.cl)

The interesting characteristic I observed during these attacks were that the victim IP addresses were being rotated through at 30 minute intervals. What I mean by this is I watched the Storm Worm bot try to send 30 minutes of ICMP echo-requests to the first IP on the list, then it moved on to the next IP on the list for 30 more minutes until I finally turned it off to finalize the lab run and start looking at data captured. This is the first time I have ever seen a round robin style DDOS attack being carried out. With the return of DDOS attacks by the Storm Worm I would definitely say this botnet just returned to the dangerous state and jumped back on many security professionals radar. I have read just recently several posting dismissing the danger of the Storm Worm, which I would never recommend doing.

I also captured the spam using my faux smtp server and identified the following new spam domains inside the message bodies:

• bestphysiciangood.eu
• childrenseparate.com
• doctorbutgood.eu
• doctorfeelgoodphd.eu
• doctorgoodsite.eu
• doctorleasegood.eu
• greatmedicgood.eu
• happenhalf.com
• lottube.com
• maysection.com
• medicgooddirect.eu
• medicgoodguide.eu
• needcertain.com
• nowcarry.com
• prepaream.com
• surgeongood.eu
• thoughgrand.com
• valleyearth.com
• yellowyear.com

All of these domains are the home of a pharmaceutical company named “Pharmacy Express” selling all types of prescription drugs. I covered this pharmaceutical company in my last post, so I won’t bore you with the details again. Here is a list of the 584 unique subject lines in the spam emails I captured: Storm Uniq Subject Lines.

In closing here is tonight’s VirusTotal results for: msserv.exe Result: 19/33 (57.58%), and here is tonights Storm Peers list extracted from the msserv.config file: Peers.txt.

As a side note I have the full pcap file for this DDOS attempt. If you happen to be investigating these attacks and your IP is listed above or you have a ligament reason to see these captures feel free to contact me. I will not distribute these to just anyone, so think before you ask.

This morning I figured I would check on the Storm Worm since it’s current theme is the “Colorful Independence Day” theme and today is the day after the 4th of July. Looks like the Storm Worm web servers are still serving up the fireworks.exe binary and the image file is still the same, so no changes there.

Where I did find changes flowing was in the Storm Worm spam messages going out. It looks like the spam messages are rotating themes about every 250 to 350 messages between a pharmaceutical spam theme and new Storm Worm domain names. The new Storm Domain names I found in the spam messages are as follows:

• bellestarfireworks.com
• dayfireworkssite.com
• greatfireworkslaws.com
• thefireworksjuly.com
• wholefireworksonline.com
• worldbestfireworks.com
• yourfireworks.com
• yourfireworksstore.com

The following domains are still active as well in serving up Storm Worm binaries:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

I verified all of these domain names with some Passive DNS discovery techniques and identified a few new Storm Domain Name servers spitting out A records. Looks like there are a total of 71 active Storm Worm DNS servers answering lookup requests. Here is a full list of all 71: Storm NS Servers List.

The pharmaceutical spam site has been modified as well. It looks like they have changed their name from “Canadian Pharmaceuticals” to “Pharmacy Express”. This new site appears to be very similar in appearance to the old Canadian Pharmaceuticals site. Here is a snapshot of the Pharmacy Express web page header:

The spammed domain names I grabbed during this spam run were as follows:

• fairneck.com
• girlsultry.com
• ihotair.com
• pharmacydepotonline.com
• prohotsite.com
• redhotcapital.com
• seatdistant.com
• sexyhotworld.com
• squarespell.com
• starfoxguide.com
• teahotspot.com
• theshyfo.com

These domains are also Fast Flux networks rotating 19 different A records at 120 second intervals, which makes it a little different from the standard Storm Web server Fast Flux network. The Storm Web server Fast Flux DNS servers rotate IP addresses by serving a new individual A record every 60 seconds. It is my opinion these TTL changes in A record expirations is a simplistic attempt to avoid discovery from several of the Fast Flux domain discovery scripts out there. Most of the basic Fast Flux discovery scripts look for changes in IP addresses within a 60 second interval, and the Authors of the Storm Worm Fast Flux network avoid this discovery by rotating outside this interval. If you are using these types of discovery techniques or scripts modify them to query at a longer time interval such as 360 seconds to get better results. The problem with this modification is it is pron to false positives.

The subject line and message content of these spam messages seem to be right in line with all of the other Storm spam messages of the past. The message body is just a short line of text ending with a hyperlink to either the Storm Web server domain or the Pharmacy Express website. Here is a list of the unique Subject lines I extracted from my short lab run this morning: Storm Spam Subject Lines.

The Storm Worm binary and configuration file that is loaded into the %WINDIR% has also changed names. The new binary is named “msserv.exe” and it’s corresponding configuration file holding a list of p2p peers is now named “msserv.config”. I ran the msserv.exe through VirusTotal, VT for msserv.exe, with the normal mid ranged results for identification of 18/33 (54.55%). I also extracted a peers list from the msserv.config file with no real change in the number of peers around me: 871 peers.txt.

Looks like the authors couldn’t resist the opportunity to entice United State citizens with a “Colorful Independence Day” theme. The good news is there are only 5 of the 24 domain names I reported the other day still active. Here is a list of the current active Storm Worm domain names:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

The new “Colorful Independence Day” theme is a little different than past campaigns, as it only hosts one binary file and the ind.php exploit scripts. Usually the Storm Worm authors maintain two differently named binaries available for download through a hyperlink and by clicking an image file. This time the authors are only hosting a binary titled “fireworks.exe”, which is downloaded by clicking a colorful image of a fireworks show. Here is a snapshot of the current site:

The normal ind.php file is a hidden iframe inclusion with the normal 9 exploits waiting to serve up a fresh install of the Storm Worm Trojan turning your computer into a spamming maniac. VirusTotal results shows that many of the Antivirus companies are still struggling to keep up and identify the constantly changing/morphing Storm Worm. With only ~52% (17/33) identifying the fireworks.exe binary as being malicious of which 2 of the 17 just state the file is suspicious. I wouldn’t count the suspicious file signatures as a success, so in my opinion only 15/33 really identified the binary. Here is a link to the results page for VirusTotal.

With this being the evening of the beginning of my long weekend vacation I am going to cut this analysis short and leave you with a “Happy 4th of July” and be safe.

Looks like the authors of the Storm Worm are at it again with the “love theme”, but this time with lots of love. I have identified 24 active Storm Worm web server domain names serving up a new storm worm binary with very little detection by the Antivirus companies according to my VirusTotal results (8/33 24% detection rate). My current list of active domain names are:

• activeware.cn
• bestlovelyric.com
• gonelovelife.com
• greatadore.com
• grupogaleria.cn
• knowholove.com
• likethisone1.com
• lollypopycandy.com
• loveisknowlege.com
• lovekingonline.com
• lovemarkonline.com
• loveoursite.com
• makeloveforever.com
• makingadore.com
• makingloveworld.com
• musiconelove.com
• nationwide2u.cn
• shelovehimtoo.com
• superlovelyric.com
• theplaylove.com
• wantcherish.com
• whoisknowlove.com
• wholovedirect.com
• wholoveguide.com

Most of these were identified through passive DNS techniques, and using my spam lab setup. Looking at the spam I captured in my lab for the newest Storm run, I was able to identify 64 unique Subject lines from 3,743 spam email messages. All 64 unique Subject lines related to the theme of love, which if I had to guess must pay high dividends for the Storm authors as they have returned to this theme over and over again. A few sample subject lines are:

• All I need is You
• Always on my mind
• Can’t forget You
• Can’t stay away from you
• Crazy in love
• Crazy in love with you
• Deep in my heart
• Deeply in love with you
• Dreaming ’bout you
• Everything for you

All 64 unique subject lines can be seen here: spam_subject.txt. The actual spam message contained 65 unique messages with a simple one line message containing hyperlinks to one of the 24 active Storm domains listed above. Following any of these hyperlinks leads to the newest version of the Storm Worm web server page, which maintains a Egreetings/Ecard design and the love theme, but with a twist. The web page title is:

Free I Love You Ecards, I Love You Greeting Cards, I Love You Greetings, Cards, ecards, egreetings

The twist is the Storm authors have added a flashy banner at the top of the page stating you are the 10,000 visitor and that you have won a prize. To claim the prize all you have to do is click through the fake banner advertisement. Here is a snapshot of the current Storm worm web page:

Examining the source code there are 2 unique binary names available for download: “winner.exe” and “mylove.exe”. By clicking the image stating your the 10,000th visitor the winner.exe binary is downloaded. Clicking the hyperlink, “click here”, the “mylove.exe” binary is downloaded. The storm worm authors are also actively maintaining a malicious script titled “ind.php” containing 9 individual exploits hidden from view with an iframe redirection and littered with heavy Javascript obfustication to evade detection and analysis.

It is my opinion that this particular version/run of the Storm Worm appears to be the largest in scale this year. I do not remember seeing this many active domain names being used in any of the past runs I have analyzed. I also noticed the Fast Flux network has modified all of the Storm Worm domain name A records TTL value to 60 seconds, instead of the normal 0 seconds. This means the Fast Flux DNS servers will rotate the A records every 60 seconds instead of after every individual query, which may be an attempt to throw off some techniques for analyzing and identifying Fast Flux domain names. Another reason I believe this is one of the largest scaled runs this year is my Storm Web server DNS tracking scripts are averaging ~3,200 unique IP addresses a day instead of last months daily average of 376 a day. Obviously this is a large increase, but it could be a misleading number, as my tracking scripts have more domain names to work with now than they have ever had in the past due to the fact there are so many active domain names right now.

Another lab run of the Storm Worm last night I captured 7,341 emails of which there were 31 unique Subject lines, 5 distinct email addresses in select message bodies, and 105 unique IP address direct links. The majority of last nights spam lab run contained the current theme of a disaster in China affecting the Olympic games in Beijing . Nothing new there, but I did find 1,144 messages which contained the following style of message:

Hello, my friend.

Do you want to buy any stuff: any kind of pills, oem software, cool porn?
Just mail me back, i’ll find the best offer for you.

Of these 1,144 messages containing this unique message I was able to extract 5 different individual email addresses:

• cstygstra@gmail.com
• removed (19 September 2009)
• infrared35@gmail.com
• jim@tegelaar.com
• wagz_is_god@yahoo.com

I Googled all of these email addresses to see if possibly the Storm Worm Authors were raining some spam to these targeted emails, as this was my first thought, but found that these email addresses returned no results except for wagz_is_god@yahoo.com. I found a post from a user calling himself “wagzisgod” from 2004 about maintaining a traders list on spawn.com. The Google cached page can be seen here: Spawn.com Message Board post. So I don’t think this a malicious attack against the email addresses listed above, but more likely a way of trying to identify active email addresses maintained in their current harvest lists. I sent an email using a newly created account and have yet to receive any response regarding my staged request for more information regarding the availability of the products in the spam message. I really didn’t expect to receive a response, but this was more of an attempt to monitor spam generated from the Storm Worm, as this newly created email has only been used once making it perfect for tracking the Storm Spam if it works the way I hope it does. Only time will tell.

Here are the logs from last nights spam run in my lab for your own analysis: Full SMTP log, Unique IPs for Storm Web Servers in Spam Log, and Storm P2P Peer list.

With all of the know Storm Worm domain names temporarily not resolving, due to the Storm Worm designated name servers not responding to A record requests, the authors have reverted back to spamming direct IP links to our mail boxes. The main Storm Worm domain name servers I am aware of are:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com
• ns.verynicebank.com
• ns2.verynicebank.com
• ns3.verynicebank.com
• ns4.verynicebank.com
• ns5.verynicebank.com
• ns6.verynicebank.com

I captured 1,014 spam messages in my lab this afternoon during a short run just to check on things. Of the 1,014 spam messages there were only 47 unique IP addresses and only 30 unique Subject lines. Here are two text files with the data: spam_ips.txt and spam_subjects.txt. As you can see the spam messages relate with the Storm Web server theme of a disaster in China and the 2008 Olympic Games in Beijing.

Another note of interest in my fake SMTP server logs is the User Agent for the spam messages seems to only ever be one of two different unique User Agents either “Thunderbird 2.0.0.6 (Windows/20070728)” or “Thunderbird 1.5.0.13 (Windows/20070809)”. I can’t believe I missed this, but after revisiting several of my old SMTP log files I have found this to be a common pattern for almost a month now. These both seem to be legitimate User Agents via my Google search results, but since they are old Thunderbird mail clients it may be worth looking into possibly writing a snort signature for something like this. I was thinking about testing the waters to see what I come up with in the next few days. If any of you run a mail server I would definitely be interested in hearing your opinion on how popular these User Agents are. Here is my full SMTP log for this afternoon’s run: smtplogs.txt

To sum this short post up here is the usual Storm Peering IP list extracted from the configuration file: peers2.txt and my Virus Total results for the binary files: beijing.exe and msvupdater.exe.

Looks like the authors of the Storm Worm have decided to revisit the usage of exploits along with their normal Social Engineering techniques by including an iframe within their current web page. The current Storm Worm web page uses an earthquake message as it’s attempt at social engineering unsuspecting users into downloading a video file, which of course is the Storm Worm. Here is the message the Storm authors are currently presenting to users:

A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either “Open” or “Run”.

Combining the upcoming Olympic games starting in ~49 days and a natural disaster looks like it may be a new theme that numerous Malware authors will begin to utilize, as current events and disasters always seem to attract a large crowd. I know we started seeing the Olympic games themed Malware several months ago, but now with the Storm Worm authors using it and the start of the games approaching it is my opinion we will see a quadratic rise in the amount of Malware, Phishing sites, and Social Engineering attempts tailored to the unsuspecting followers of the games.

The actual look and feel of this new page is simple and light. Here is an image of the current page:

Video themes also seem to be the standard approach for the Storm Worm authors, so I really was not surprised to see another one being used.

The source code for this page is where we will find the interesting and new obfusticated scripts used to execute multiple exploits tailored to your browser. Here is a snapshot of the source code for the index page:

Obviously if you click the image you will download the “beijing.exe” binary file, which is the Storm Worm Trojan. The interesting piece of code on this page is the iframe for including the “ind.php” file. This “ind.php” file is nothing new to the Storm Worm, as this file name has been utilized in the past Storm Worm exploit attempts and doesn’t seem to be going away anytime soon. The contents of the “ind.php” file has changed and is a little harder to deobfusticate. It took me three runs through the file to deobfusticate and analysis this file. The exploit attempts in the “ind.php” file do not appear to be anything new, so I won’t bore you with it’s details other than stating everyone should keep all of their software applications up to date and patched. The binary downloaded inside the “ind.php” file is titled: “load.php?bof”.

I ran the “load.php?bof” and “beijing.exe” through VirusTotal and here are the results: “load.php?bof” and “beijing.exe“. The identification results were less than 50% for both binaries, so I would highly suggest you continue to block the know active Storm Worm domain names with DNS blackholing, content filters, and/or proxy filters. Here is a list of the current malicious Storm Worm Domain names hosting the Trojan binary using the theme discussed in this post:

• grupogaleria.cn
• activeware.cn
• cadeaux-avenue.cn
• polkerdesign.cn
• biztech-co.cn
• ratedhot.cn
• pacoast.cn
• fconnorlaw.cn
• tellicolakerealty.cn

I also ran the “load.php?bof” binary in my lab to get a quick look at the spam being sent out by this run, as it seems to be changing topics a little faster than normal with the recent penny stock emails and then back to Canadian pharmaceuticals. I captured 684 spam emails during this short lab run. The oddity with this run was I only identified one domain name being utilized in the data section of the email: “usualprocess.com” and of course the Storm Worm spam was applying a random subdomain name to this domain name. Here is all of the subdomain names I saw during my short run: smtp_log. Another thing I noticed was the name servers for the “usualprocess.com” were not only rotating IP addresses as they always do using a fast flux approach, but the name server domain names were being rotated as well. Here is a list of the name server domain names I saw in my queries:

• ns0.tenshinohane.com
• ns0.forgottensin.com
• ns0.toptenslist.com
• ns0.torstenstv.com

Obviously this is another attempt to keep the links being sent out in emails available. Using passive DNS analysis I was able to identify the following domains as active domain names being severed up by the above name servers, and this list may possibly be a few more domain names worthy of blocking:

• boywhole.com
• metalmorning.com
• oftendollar.com
• describeenter.com
• industryexpect.com
• meanquiet.com
• yetresult.com

The last thing I noted was this binary installed itself in the %WinDir% as “msvupdater.exe” with a peer file in this same directory titled “msvupdater.config”. Here is the 830 peer IP addresses I extracted: peers.txt.

Tonights Storm Worm spam was made up of the same old Canadian Pharmaceutical material they were pushing out before the Angstrom Microsystems unauthorized stock spam campaign. The unique domains I extracted from the spam messages were:

• describeenter.com
• industryexpect.com
• meanquiet.com
• oftendollar.com
• yetresult.com

All of these domains are fast flux domains resolving to 20 different IP addresses per query that seem to rotate on a set schedule of every 2 minutes. There is no telling how many total IP addresses, but I am sure it is a lot. If you have DNS blackholing capabilities, content filters, and/or spam filters I would update them now with these domain names.

Another note of interest regarding this spam is wild card sub domains are being used in all of the spam messages I captured. Here is a list of the unique sub domains: sub domains list. This Canadian Pharmacy website does not seem to change much in it’s presentation and the following logo seems to be constant.

The only new option I identified in looking at this site during this analysis was the option to submit your Instant Messenger information when trying to contact them. Just another way to collect user data in which they can use as a spam mechanism is my guess. Here is what the current form looks like:

This may not be a new, but it is the first time I noticed it. Another note of interest is they seem to take a wide variety of payment types as seen here.

As always if you have any questions or comments feel free to contact me.