Looks like the authors of the Storm Worm spamming bot have moved on from Canadian Pharmaceuticals to giving financial advice. While running the Storm Worm in my lab and allowing it to beat up my fake SMTP server I captured 2,379 spam messages. Of these there were only 130 unique subject lines, which can be seen here: subjects. As you can see all of the subjects pertain to motivating someone to go out and buy penny stocks. Various misspelled messages were seen such as this one:

d_ n't w e preidct it?

Busienss Name: Ans-gtrom Microsytsems
Ticker: agms.ob
Outlook: Storng Purchase
Marekt prcie: .4 00
Shaers- traded: 331,485-

Now that- the news it o'ut, vol.um e is thorugh __the roof.

Mroe events will un'fo"l d , clien'ts are seeing the need for these
prodcuts A GMS. can be your ticket.,

The window" is still open,' obtain this stock early Te'u sday.

This definitely is not the Storm Worm Authors most professional looking work, and is actually very sloppy compared to past spam campaigns. Here is a copy of my full log: smtp log

Another oddity in this move for pushing penny stocks, is the company being represented in these spam messages does not appear to be willing participants in the spam campaign. Searching Google, I found several references to these spam messages and actually found this particular article interesting: marketwatch.com article. Angstrom Microsystems appears to be searching out the people and/or organization behind these spam messages, so I have sent them an email describing my findings and wish them the best of luck with doing what many others would like to do and catch the Storm Worm Authors. Maybe with the help of the US Securities and Exchange Commission they will grow closer to being able to prosecute at least someone from the Russian Business Network. I wouldn't get my hopes up though.

The binary I used in my testing was the "loveyou.exe" binary being hosted by numerous Storm Web Servers. Once ran it creates another binary named "msoupdater.exe" in the "%WinDir%" along with a list of peers of other storm worm bots titled "msoupdater.config". Some good news about this version of the Storm Worm is it is being detected by Antivirus software fairly well. VirusTotal Results: loveyou.exe and msoupdater.exe. Here are the 903 peers I extracted from the msoupdater.config file: peers.txt.

On another note, sorry for my lack of posting lately as I have been on vacation and enjoying summer. As always if you have any questions or comments feel free contact me.

It looks like the Storm worm authors have finally got their DNS issues worked out and have started repairing the overall botnet structure. I wonder how much money is lost when a spam sending botnet the size of the Storm Worm is down for longer than a few days? I would bet it is a lot. Anyways it looks like the Storm Worm Web servers do not have an index page defined yet, but I bet that this configuration is short lived. I was only able to grab these files or pages from a Storm Worm server during my testing: ind.php, load.php, sony.exe, loveyou.exe, and iloveyou.exe. The iloveyou.exe and loveyou.exe are identical binaries with the same md5sums, and here is there VirusTotal results. The load.php and sony.exe are also identical binaries, and here is there VirusTotal results. According to the VirusTotal statistics it looks like about 50% of the Antivirus companies are detecting these binaries at this time. Running these binaries in my sandnet shows they are still using the herjek.exe and herjek.config file names and are located in the Windows directory (%windir%). Here is a list of the 815 peers I was able to extract: peers_list.txt.

Some of the more interesting findings in my tests this afternoon had to do with the spam the Storm Worm was trying to send out. All of the spam being sent out right now is using subdomain names for only a few unique domain names. The following are the unique domain names I was able to extract from my sandnet SMTP mail server:

• catsharp.com
• lowsmell.com
• picturewest.com
• posestory.com
• pressrose.com
• producemorning.com

Here are a few of the subdomain names I saw:

• aayxyi.catsharp.com
• acknl.pressrose.com
• acz.picturewest.com
• ad.producemorning.com
• adru.picturewest.com
• aegi.lowsmell.com
• aegirl.pressrose.com
• aemw.picturewest.com
• afpirl.picturewest.com

A full list of these subdomain names I was able to identify can be found here: smtp_sites subdomains. Obviously these subdomains are randomly generated and the Storm DNS servers have wildcards to accept requests for any subdomain for the few domain names I provided earlier. All of these domains and subdomains seem to point you to the Canadian Pharmacy site I spoke about in my last Storm Worm posting. This time though it looks like even the SPAM domains are using Fast Flux technology to rotate their IP addresses from a list of 20 IPs that are also rotated about every two minutes. This will definitely prevent IP blocks from being affective, so if you have any type of DNS blackholing or blacklists I would suggest you add these domains to those lists now. All of the SPAM was focused on Pharmaceuticals, which is fairly normal for the Storm Worm. Here is a list of the unique subject lines I saw in my sandnet: smtp_subjects.txt.

One last note of interest for everyone that emailed me about the Storm Binary Tracker being down. My outage was due to the Storm Worm having intermediate issues, but since these issues are over my Storm Binary Tracker is now back up and running. Happy Malware Hunting!

Currently the Storm Worm domain name servers are not responding to DNS quires for the known Storm Worm Domain names. The Fast Flux DNS magic the Storm Worm utilizes has been one of the key factors in it's past success, so I would think this is a short lived outage. Currently all of the live Storm Worm domain names I am aware of are pointing to the following DNS servers:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com

The oddity of this outage is that the above name servers are rotating their A records with no issues, but none of them have any A records to serve up for the Storm Worm Web Servers. Here are a few examples of my dig query outputs:

;; ANSWER SECTION:
ns.likenewvideos.com. 70381 IN A 76.174.44.224

;; AUTHORITY SECTION:
likenewvideos.com. 70381 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns2.likenewvideos.com. 70381 IN A 209.159.249.102
ns3.likenewvideos.com. 70381 IN A 117.123.100.162
ns4.likenewvideos.com. 70381 IN A 213.211.109.179

;; ANSWER SECTION:
ns2.likenewvideos.com. 150897 IN A 76.90.237.129

;; AUTHORITY SECTION:
likenewvideos.com. 150897 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns2.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150897 IN A 69.249.236.201
ns3.likenewvideos.com. 150897 IN A 70.121.44.74
ns4.likenewvideos.com. 150897 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 70125 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns3.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 70125 IN A 76.174.44.224
ns2.likenewvideos.com. 70125 IN A 209.159.249.102
ns4.likenewvideos.com. 70125 IN A 213.211.109.179

;; ANSWER SECTION:
ns4.likenewvideos.com. 150781 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 150781 IN NS ns3.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns2.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150781 IN A 69.249.236.201
ns2.likenewvideos.com. 150781 IN A 76.90.237.129
ns3.likenewvideos.com. 150781 IN A 70.121.44.74

It also looks like an outage has also surfaced in the Storm Spam being sent out. I ran a sample for over 3 hours in my sandnet with not one single SMTP packet being sent out, so the good news is this outage may eliminate a few spam messages in my inbox tomorrow morning.

It also looks like my p2p list in the herjek.config file is shrinking slowly, with only 778 IPs in it right now. Here is the decoded herjek.config peer list: Storm Peer IP List.

I don't really think this outage will last longer than 24 hours, and would be surprised if it is still occurring when I get up in the morning. This is more than likely down time for an update, or maybe even some type of configuration changes being conducted by the Storm Worm Authors. Look for something new from them real soon!

UPDATE: I am now starting to see the Storm Worm DNS servers and Web servers recover, but it now seems as if the entire Storm Worm network is now experiencing intermediate availability.  Again, I don't believe this is something permanent, and is more than likely intermediate outages as the Storm Worm Authors get their updates and/or changes out.

In the last 24 to 48 hours I have seen a tremendous slow down in the number of Storm Worm web server IPs being rotated through the Fast Flux network. I usually average about 8,000 to 10,000 unique IPs a day using some custom scripts to query the Storm Worm DNS servers, but for the last 24 hours I have only seen 223 unique IPs. I am not sure why this has occurred, and it may just be a hiccup that has unintentionally occurred. Although in the past when I have identified hiccups in the Storm network it has always been on the eve of a change. This may very well be indicator change is on the horizon, since this is Memorial Day weekend here in the United States. Here is a list of the 223 Storm Web Serving IPs I have seen in the last 24 hours: Storm Web Server Unique IPs.

Since I saw this tremendous reduction in Storm Web Servers I figured I would check to see if there was any reductions in the number of peers currently stored in the herjek.config file. Although this is not a good overall indicator of how many bots are in the Storm Worm network, I still thought I would check. I did not see any obvious reductions with 850 IPs being maintained in my sandnet run for a little over an hour. Here is a list of the peers from this run: Storm Peer List.

I have just recently started looking deeper into the Spam sent out by the Storm Worm and I have identified a few interesting characteristics. I captured a total of 2,524 Spam messages during the same one hour sandnet run I mentioned earlier in this posting. Out of the 2,524 Spam messages there were exactly 853 unique Subject lines all pertaining to pharmaceuticals, mostly focused on male enhancements and Viagra. Here is a file with all of the unique subject lines I saw: Storm SMTP Subject Lines. Another interesting observation is out of all these Spam Messages there were only 9 different domain names being advertised within the spam messages. These domain names were:

1. catsharp.com
2. followequate.com
3. industrydictionary.com
4. lowsmell.com
5. picturewest.com
6. posestory.com
7. pressrose.com
8. printlength.com
9. producemorning.com

All of which resolved to IP address 220.162.247.222, which seems to be a Canadian Pharmacy website advertised as the #1 online drug store. In their FAQ's they claim that all physicians are US licensed using only board certified physicians and U.S licensed pharmacies. They also state all of their products are manufactured and shipped from India and approved by INDIAN FDA for export. I got a real laugh when I saw this Canadian Pharmaceutical company actually advertising an Anti-Spam policy. Here are a few direct quotes from this policy:

Canadian Pharmacy supports ONLY permission-based email management practices. In this regard, Canadian Pharmacy has implemented various policies and procedures that:

• Help prevent Canadian Pharmacy from being used for the purpose of unsolicited email campaigns.
• Encourage permission-based marketing.
• Respond to all complaints suggesting Canadian Pharmacy has been used as a vehicle to send unsolicited email.

You may not use the Canadian Pharmacy or the products or services provided through or in connection with the Canadian Pharmacy to: a. send unsolicited bulk email, for commercial or non-commercial purposes. Unsolicited bulk email is defined as email sent to more than 10 individuals without their permission."

Canadian Pharmacy takes permission marketing very seriously. Thank you for reviewing our Anti-Spam Policy.

Another interesting pun available on this site is there privacy policy. Here are a few of the humerus lines I found in this policy:

Use of Your Email Information
Canadian Pharmacy is not an email list rental service and does not rent or sell any email addresses or other contact information that you provide.

E-mail and Direct Response Contact
All of our direct response methods are opt-in. If you subscribed to our e-mail newsletter(s) but do not want to receive it in the future, please follow the "unsubscribe" instructions contained in the newsletter(s)

Well that is odd, as I seemed to have just parsed through a few thousand Spam messages generated from the Storm Bot that all pointed to them. I guess policies like these help them seem like a more legit website/company that is actively taking action against unsolicited spam. Just to see what would happen I went ahead and posted a message in their contact us form. I guess they don't appreciative spam either, as they are employing captcha to limit the comment spam bots. They also publish the following email address as their customer support email address: support@canadianmedicationsupport.com. To bad there are no MX or A records being advertised for this domain, so emails will definitely have a difficult time getting to them.

Using passive DNS discovery techniques I was able to identify a few more IP addresses and Domain Names associated with this devious pharmaceutical supplier:

methodproduce.com A 220.162.247.222
pressrose.com A 220.162.247.222
followequate.com A 220.162.247.222
producemorning.com A 220.162.247.222
printlength.com A 220.162.247.222
lowsmell.com A 220.162.247.222
ns3.adverdomain.com A 220.162.247.222
catsharp.com A 220.162.247.222
gladcoat.com A 220.162.247.222
wyd.gladcoat.com A 220.162.247.222
picturewest.com A 220.162.247.222
industrydictionary.com A 220.162.247.222
posestory.com A 220.162.247.222
viagrabest.info A 220.162.247.222
www.viagrabest.info CNAME viagrabest.info

catsharp.com A 61.253.105.133
catsharp.com A 79.135.167.4
catsharp.com A 116.123.47.80
catsharp.com A 220.162.247.222
catsharp.com NS ns2.xinnet.cn
catsharp.com NS ns.xinnet.cn
catsharp.com NS ns1.qw22.com
catsharp.com NS ns2.qw22.com
catsharp.com NS ns3.qw22.com
catsharp.com NS ns4.qw22.com
catsharp.com NS ns2.xinnetdns.com
catsharp.com NS ns.xinnetdns.com

Looks like they have been doing this for sometime now based off all of the IPs and Domain Names listed in the queries. I also noticed that all off these IPs seem to be using Virtual Host configurations, as visiting these sites strictly by IP will get you interesting messages like "It works!" and squid proxy messages. All of these sites are severed by Ngnix web servers. Ngnix web servers seem to be a popular choice for phishing sites, malware serving sites, and now pharmaceutical sites. I should also note the Storm Worm binary serving web servers use this same web server. I won't bore you with whois query results, but I did find it interesting "Wen Fang" seems to be the registrant for all of the domain names being used, along with a few hundred other domain names.

As always if you have any questions or comments regarding this information feel free to contact me anytime and have a nice Memorial Day Weekend!

Looks like the Storm Worm authors are back to using good old fashion Social Engineering to infect unsuspecting users. Obviously this is nothing new for the Storm Worm, but for the last few weeks they have relied solely on iframe redirections combined with fancy JavaScript obfustication serving up multiple exploits. My assumption would be this new wave of Social Engineering is a result of the Storm Worm Botnet shrinking in size everyday.

The new web page is simple and to the point with only the following message being displayed:

Your download should start automatically in a few seconds. If not, click here to start the download.

The page source code looks like this:

As you can see there are two binaries being offered up by this page: "loveyou.exe" and "iloveyou.exe". If you click to the hyperlink on this page you will download the "loveyou.exe" binary. If you just wait 5 seconds you will automatically download the "iloveyou.exe" binary via a meta tag refresh. This is of course very simple code in comparison to the "ind.php" JavaScript obfusticated page, which might I add is still being offered up with multiple exploits to anyone visiting this page.

This particular version of the Storm Worm creates a configuration file of peers in the %WINDIR% titled: "totacon.config" and the actual Storm Worm Binary file titled: "totacon.exe". VirusTotal results at the time of this analysis were not very promising (6/32), and can be found here: VirusTotal results for iloveyou.exe and VirusTotal results for totacon.exe. Microsoft does seem to be on top of this, so they get an AT-A-BOY from me. Just for the fun of it I also ran the "iloveyou.exe" through the ThreatExpert Sandbox and ended up with these results: ThreatExpert Report iloveyou.exe.

I have decided to post a few of my results from my personal sandbox analysis conducted in my make shift lab. First off here is a list of the 804 IPs I was able to extract from the "totacon.config" file: Totacon Config Storm Peers with my storm_config_decoder.pl script. I also decided to grab some SMTP traffic by modifying Joe Stewart's Truman fauxsmtp.pl script combined with my Perl DNS script to safely collect the spam without my ISP going nuts, and also running the risk of getting blacklisted. Here is that log file for your viewing pleasure: Storm Worm SMTP Log file. As you can see the Storm Worm SPAM mails focus heavily on male enhancement pharmaceuticals, no surprise here. On a positive side note all of the http references for this SPAM run instance are blank. I believe this is because the current Storm Worm Domain Names being utilized have had there A records removed, possibly because the Registrant may have taken action against them. Thanks Mark from http://spamtrackers.eu for this information, as I was initially caught a little off guard by my logs till I saw your comments.

I also went ahead and decrypted some of the Edonkey p2p traffic as a quick check to see if the "XOR" key had changed, but it had not. Here is a portion of the decrypted pcap for anyone that is curious to actually see what the Storm Worm p2p Botnet traffic looks like: Decrypted Storm Worm PCAP and just for comparison here is the same pcap slice encrypted in it's original form: Storm Worm Traffic Encrypted. Note you will need to utilize an Edonkey decoder to correctly decode the Edonkey protocol, such as the one built into Wireshark. In Wireshark it as simple as opening the file clicking the "Analyze" menu option, and then selecting the "Decode As" menu option from the drop down. From here scroll down and select the Edonkey protocol using the SRC UDP port (24571) in this instance, and finally press the "OK" button. You should see several "Publicize" messages under the info column now, which means you have succeeded at decoding the Edonkey protocol.

As always if you have any questions or comments feel free to shoot them my way. One last thing, I would like to go ahead and thank the professionals and guru's over at UploadMalware.com and MalwareDomainList.com as many of them have activity collaborated and shared insightful information with me on this subject since I became a member on a daily basis. Your help is greatly appreciated!

UPDATE: I reported that the following Storm Worm Domain Names were no longer active: polkerdesign.cn, tellicolakerealty.cn, and cadeaux-avenue.cn.  This information was inaccurate as it was only the Storm Worm Name Servers that were taken action against, causing my queries to fail.  The following Name Servers no longer resolve Storm Worm Domain Names as connections seem to be refused: ns.orthelike.com, ns2.orthelike.com, ns3.orthelike.com, and ns4.orthelike.com.

The Storm Authors are starting to experiment with new and creative ways to ensure we can't track them easily with their latest variant released earlier today. This recent change is actually fairly simple, but at the same time fairly affective in that only the stage one binary "load.php" (Storm's Trojan Downloader) can grab the second stage binary "load2.php", which is the actual Storm Worm binary. They do this by filtering on User Agents. The Storm Trojan downloader's User Agent is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)". Notice the "SV1921" portion as it seems to be the only unique portion that separates this User Agent from the normal Internet Explorer 6 User Agent. To be more specific, the actual Storm Worm binary can only be downloaded with an application using "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)" as it's User Agent at this time. I tried several other common IE User Agents, and multiple comibations/variants of the Storm Trojan Downloader User Agent and was unsuccessful at retrieving the binary. With that information I think it would be safe to create a Snort IDS signature looking just for this specific User Agent. I have submitted my finding over to Matt Jonkman at Emerging Threats to get his expert opinion on this. My suggestion would be an update of sid:2008077 to look like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/67; sid:2008077; rev:6;)

During the analysis of this variant I also discovered a new Storm Worm Fast Flux domain name: "polkerdesign.cn". The other domain names I was tracking: "apartment-mall.cn, stateandfed.cn, centerprop.cn, and phillipsdminc.cn" have all been shut down, which is good news.

It also looks like Antivirus companies are still behind in getting good signatures out to detect these new variants. My VirusTotal results for "load.php" (38.71%) and my VirusTotal results for "load2.php" (35.48%). In closing, here is a fresh list of the 908 peering IP addresses I extracted from the configuration file "herjek.config": herjek_peers.

As always if you have any questions or comments feel free to contact me.

UPDATE: There was a typo in my initial post leaving out the "Windows NT 5.1" portion, I have corrected this inline, thanks to Levi of his comments.

Looks like my hunches yesterday about the Storm Worm authors being up to something was right on target. One of the researches over at UploadMalware.com discovered the Storm Worm authors spawned a new variant yesterday. This new campaign is solely based off of iframe injections, so far. Maybe in the coming days or hours this will change and we will see some type of enticing download campaign we have grown so fawned off. I would not rule it out as the Storm Worm authors have used the social engineering factor very successfully for over a year now, and I don't see that going away anytime soon.

Alrighty then let me get to some of the juicy stuff about this new campaign. We now have three active Storm Fast Flux domain names serving up obfusticated JavaScript via a PHP file titled "ind.php". The thing that completely threw me off yesterday was they are filtering the exploit with a User Agent check. If you try to grab the "ind.php" with a non exploitable browser or command you will receive a blank page. Here is a PDF of the current "ind.php" file and it's deobfusticated code: ind.php analysis. As you can see in the PDF you will be hit with multiple exploits and if any of them are successful you will be receiving the Storm Worm binary downloader from another PHP file titled: "load.php". Detection is very limited for this new variant downloader: VirusTotal Results for load.php. This downloader will then grab the file "load.exe" which is the actual Storm Worm binary and detection for this is low as well: VirusTotal Results for load.exe.

The new binary drops itself into the Windows directory (%windir%) during installation and is titled: "libor.exe" along with it's new peer file titled: "gogora.config". Just for the heck of it here is a list of the 903 peers I extracted from the config file: peers.

The three currently active domain names are "stateandfed.cn, apartment-mall.cn and centerprop.cn" and it would be advisable to anyone with DNS blackholing or content filtering devices to put them in your configurations now. I am sure we will see a lot more of this via SPAM with links to new blogspot web pages with the iframe redirections embedded in them on Monday morning.

Also as a side note with the authors changing the web page I am having issues with my Storm Binary tracker. I should have them worked out shortly and the database will get updated as soon as I do. If you have any questions or comments feel free to shoot them my way.

It appears that earlier this morning around 9am CST time the Storm Worm web servers pulled the StormCodec.exe, and StormCodec8.exe binaries. I am not sure what is actually occuring as of yet, but my guess is this is preparation for a new download campaign that will begin shortly. If I had to guess, I would guess that the next download campaign would be "Happy Mother's Day" and I would prepare for a fresh set of Spam messages arriving Monday morning.

Another guess would be this is the beginning of the end for the Storm Worm with everyone claiming victory over this menace. I wouldn't bet on that though, as the p2p net is still active (not as large as it use to be) and the Storm Worm's Name Servers are still up and functioning. The only thing that has drastically changed based off my initial investigation this morning is the web servers are not currently serving up the binaries at this time or an index page. If I discover anything new I will let you all know.

All of the Domain Names I published a few weeks ago in a article titled "Storm Worm gone Domain registrant happy again!" have now been taken offline, and are no longer resolving to Storm Worm web servers. I noticed "loveinlive.cn" stopped resolving earlier this week, but I just haven't had enough time in the day to publish it. This is definitely good news for all of us in this seemingly never ending cycle of Storm Worm trickery providing us with the constant reminder the Storm Worm is still around.

Recently many security professionals and security companies have begun to downplay the presence and size of the Storm Worm Bot network due to new and/or old (depending on who you ask) bot networks such as Kraken or Bobax , Srizbi, RUSTOCK, Cutwail, and Grum. This could be a sign of hope that just maybe this trend of a shrinking in size Storm Worm botnet will continue.

A humorous article published by Gregg Keizer from Compterworld titled "Microsoft: We took out Storm botnet" has sparked some interesting conversations in the security community. With Jimmy Kuo making statements like "it was the hammering Microsoft gave the Storm botnet that sent the hackers packing" and "Even though they were able to maintain parts of their botnet, they knew they were in our gun sights. And ultimately they gave up" it would seem Jimmy is very passionate about declaring Microsoft the sole winner in this war and leaves us with the impression it was the quick and precise workings of the Malicious Software Removal Tool (MSRT) that sent the Storm Worm authors packing. Did I mention I thought this article was humorous? I don't like throwing rocks normally, but is there something in the water in Redmond that breeds this type of thinking? We all know the Storm Worm has driven numerous security professionals, companies, and even "Microsoft" a bit crazy since it was first discovered in January of 2007, but to insinuate you and your company alone drove the Storm Worm authors packing swiftly and effectively by deploying a removal tool 9 months later is down right distasteful in my personal opinion. What about giving some of the credit to Security professionals such as Joe Stewart who published detailed information regarding the Storm Worm in his February 8, 2007 article "Storm Worm DDoS Attack" or even the recent detailed case study from the University of Mannheim titled "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm" in which they disclosed a detailed report of how the infiltrated and analyzed the Storm Worm Bot network infrastructure up close and personal.

I was very pleased to read a follow up article published by Gregg Keizer from Computerworld just two days later titled "Microsoft didn't crush Storm, counter researchers". I don't agree with everything stated in this article, but I do 100% agree with Paul Ferguson's statement "Storm is not down and out".

Just a short update it looks like Registrar: Xiamen ChinaSource Internet Service Co., Ltd. has taken a few more Storm Worm domain names offline. limpodrift.cn, gasperoblue.cn, gribontruck.cn, giftapplys.cn, and biggetonething.cn are all returning "NXDOMAIN" when I perform a nslookup for them, so Xiamen ChinaSource Internet Service Co. only needs to take action on the last domain name registered through them loveinlive.cn. I am not sure why they didn't take action against all of them, but at least they are taken some type of action against them.