Looks like two of the recently utilized Storm Worm domain names have been placed in a hold status by the Registrar: Xiamen ChinaSource Internet Service Co., Ltd. "newoneforyou.cn" and "thingforyoutoo.cn" and are no longer resolving fast flux IP addresses. Oddly enough the other six domain names being maintained by this registrar are still active. I would have thought if Xiamen acted on one of the domain names they would have acted on all of them, I guess they need more information regarding these domains before they can make a decision on shutting them down...

Another note of interest: limpodrift.cn, gasperoblue.cn, loveinlive.cn, gribontruck.cn, giftapplys.cn, and biggetonething.cn are all pointing their DNS requests to orthelike.com name servers. So if the Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. took action soon they could potentially strike a large blow to the current Storm Worm Domain names being used, well until the authors created new name server records.

With all that being said, these new domain names have recently pushed me just over the 100,000 mark for total archived IP addresses indexed by my Storm IP tracking scripts. Note this doesn't mean there are over 100,000 different hosts, as some of these hosts are on DHCP networks, and obviously their IPs could have changed while I was tracking them. The only IPs I am 100% sure are associated with the Storm Worm are the one's you can find in my Storm Worm Binary Tracker and the IPs I have extracted directly from the Storm Worm configuration files with my Storm Worm config file parsing script.

Ok, I finally had a chance to go through the obfusticated JavaScript and thought I would publish my findings to you all. I figured it would be better for me to just start a new post than continue to update the last one, as even I was getting confused. First off it isn't new for the Storm Worm to use obfusticated JavaScript in exploiting Windows boxes that have not been patched. It has just been several months since the authors utilized this tactic to infect new hosts, as I believe it was in October of last year the Storm Worm authors were using the MS06-14 vulnerability to infect unpatched computers.

Now when you visit the Storm Worm Web pages you will be hit with 2 different exploit attempts. The first one is hosted in the index file and it looks like this: Storm Exploit Entry Page. Now this is clearly an exploit attempt against the MS06-14 vulnerability published April of 2006. If the exploit works you will receive the "load.exe" file renamed as "win.exe" and it will be executed.

The second exploit is hosted in the flow.php file and it looks like this: Flow_php File. This is clearly another attempt to exploit an old vulnerability in Internet Explorer: MS05-052.

I haven't sacrificed a lab machine yet to see what happens after the infection, but here are my results from a few online sandboxes and virus scanners: VirusTotal Results ThreatExpert Results

As you can see the Antivirus Companies are struggling to keep up with the Storm Worm with only (6/32) flagging this last submission as Malware. I was actually a little shocked to see Symantec on top of this binary already, good job! Looking at the ThreatExpert results it looks as though the stored binary and configuration file have changed names once again to kavir.exe and nivavir.config, which are still stored in the C:\windows directory. The best recommendation I can give to anyone in trying to prevent this from infecting their computers is to patch your boxes...

I am still waiting for the results from CWsandbox and Anubis, if I get anything interesting back from their analysis I will update this posting.

I just now caught the Storm Worm web pages using obfusticated JavaScript to identify your Operating System by searching your UserAgent. If the exploit doesn't work you will be directed to the old Storm Codec page mentioned in my last post, where you can still download the Storm Worm manually. I have not completely deobfusticated it as of yet, but here is a copy of the code I am chomping away at now: storm_codec_javascript . Initially it looks like they are using the MS06-14 Microsoft Data Access Components (MDAC) vulnerability to download "load.exe". I submitted load.exe to VirusTotal and here are the results: Load.exe Results. As you can see (13/31) there is not a lot of coverage from the Antivirus Companies right now.

So it does in fact look as though the Storm Worm authors were up to something new after all. More to follow when I have a chance to work with this code some more.

UPDATE: I just started working on the "flow.php" file and was able to identify it is trying to use the vulnerability addressed in MS05-052. Here is the clsid I was able to extract: "EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F" from the attempted exploit... Again more to come, but I need to stop now and head into work....

UPDATE 2: I changed the JavaScript text file to a PDF, as I have gotten a few emails from people about their Antivirus software alerting on it...  I didn't think a text file would execute the JavaScript.  Sorry about that!  Here is the new link: storm_codec_javascript

Shaun from the Australian Honeynet Project sent me a few more domain names being used the the Storm Worm authors this morning, thanks Shaun! The following is a list of domain names being utilized by the Storm Worm right now:

1. orthelike.com - Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
2. limpodrift.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
3. gasperoblue.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
4. thingforyoutoo.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
5. loveinlive.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
6. gribontruck.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
7. giftapplys.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
8. biggetonething.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
9. newoneforyou.cn - Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
10. supersameas.com - Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
11. boardhour.com - Registrar: XIN NET TECHNOLOGY CORPORATION

I have not seen this many domain names being utilized since the recent Christmas run a few months ago, could there be something new or big in store for us real soon?

Another really odd thing I just noticed is the constant changing of the Storm Worm binary is not occurring as of right now. My Storm Worm binary tracker has shown only one MD5 hash "e773e92fef7288faa63d79d497bded91" for all of the binaries retreived since authors changed the binary names to: StormCodec.exe and StormCodec8.exe. I doubt very seriously this was caused due to them breaking/misconfiguring their bot network. So this recent joke of "Storm Codec" may just be a temporary stalling technique used to keep us busy while the authors rework the binary. I say this because, I found it very odd the recent binary distributed didn't try to hide itself at all, and although Antivirus companies struggled to publish a signature for the last binary in a timely manor, users could easily detect an infected box by simply looking for the configuration file and/or binary in the C:\windows directory. Also note the new names being used for these files are now: kaglor.config (peer config file) and liibr.exe (current Trojan binary) which are still found in the C:\Windows directory.

Well I must say I about died laughing this afternoon when I discovered the Storm Worm authors decided to publish their Malware Codec under the alias Storm Codec. One thing no one can deny about the Storm Worm authors is they definitely have a sense of humor. As always here is a screen shot of their newest web page:

So as you can see they are offering unsuspecting visitors the newest Storm Worm Trojan as a Media Codec. Almost takes me back to when they were offering the video.exe codec for youtube. Nothing really new in the web page source code either:

I am actually really surprised we haven't seen any new JavaScript obfuscation being used, with all the other major Malware distributors doing it making obfuscated code the "happening thing". I know that a few months ago they were using the unescape function, but nothing since then.

Another note of interest shared with me today via Steven from SecurityZone.org and Shaun the Founder of the Australian Honeynet project is that there is now two new domain names for the Storm Worm: supersameas.com and boardhour.com. Steven also noted that superdrugtesting.com was taken offline earlier this morning. The registrar for supersameas.com is "BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN" and the registrar for boardhour.com is "XIN NET TECHNOLOGY CORPORATION". With all that being said I must applaud registrar "todaynic.com", as they acted really quickly in getting superdrugtesting.com offline. I guess the authors of the Storm Worm made a small mistake registering with a legit Chinese registrar. If all registrars acted that quickly, I would definitely have to come up with a new way to track the Storm Worm web hosts.

One last note of interest Matt Jonkman the founder of Emerging Threats is on top of these changes as always with the two new current event snort signatures sid:2008111 and 2008112. I would suggest running these rules along with DNS blackholing supersameas.com and boardhour.com, as I am sure there will me more blogspot redirections in the coming days. I have not seen any of the reported spam using the new domain names as of yet, but that doesn't necessarily mean that it isn't out there already.

After talking it over with a few colleagues and friends I have decided to release the script I utilize to extract the peer IP addresses and ports from the Storm Worm ini/config file, as I think it may benefit others. The current configuration file for the Storm Worm is "aromis.config" and it holds the IPs for bot peers the infected computer can communicate with. This will not be the entire list of IPs infected with the Storm Worm, as the Storm Worm breaks it's bot networks up into small sub-network like structures. This is why it has been so hard for Security Professionals to combat the worm, and gather an accurate number of hosts infected with this worm.

Something to consider before using script is I can not guarantee it to work on new configuration files, as the authors of the Storm Worm could change this file at any given time. If they do decide to modify the configuration file structure I may or may not decide to update the script to reflect these changes. I think once you see how simple it is, you may just want to update it yourself. I am not a professional programmer nor a Perl guru, so if you find anything insane in the code I welcome your fixes and/or improvements.

With all that being said run it at your own risk as I provide no warranty! Well here you go: storm_config_decoder_pl. The output from this script is very simple "ip address:port" for example "192.168.0.1:1234" with the last line of output telling you exactly how many unique ip addresses it was able to identify. Oh, I almost forgot to mention it can parse multiple files just use the "*" as a wildcard character or specify the files with a space between them. This option has been very useful to me in combining the configuration files from several different infections over a period of time such as the last 24 hours. Try it as you may get some intresting results

As always if you have any questions or comments regarding this post or script feel free to contact me at anytime at jeremy [at] sudosecure [dot] net. Enjoy!

The last active domain name "ibank-halifax.com" was deactivated around March 18th making it a little harder for me to track new Storm Worm Binary hosting web servers and really slowing down my binary harvesting... Which I may add wouldn't bother me a bit if they were just shut down and I could move on to something else, but instead they have registered a new domain name for their fast flux network "superdrugtesting.com" with the Registrar: TODAYNIC.COM, INC. Here is a look at the current whois record:

Now take a look at the registrant information, which might I add is obviously fake:

I could be wrong, but I don't think an informative email to "coldercolder55@yahoo.com" is going to get much response in trying to get this new domain name taken offline. One change I noticed was the authors have now moved from the Russian registrar "nic.ru" to the Chinese registrar "todaynic.com". I hope they didn't move to another country registrar as an attempt to through investigators off, as it has become well known the authors reside in St. Petersburg, Russia. If you haven't read the article by Brian Krebs from the Washington Post take a look at it: Wishing an (Un)Happy Birthday to the Storm Worm. This article didn't seem to get much press coverage, so some of you may not have seen it.

If you have DNS blackholing capabilities, content filtering devices, and/or spam filters I would suggest adding the "superdrugtesting.com" domain name to them at this time. As always if you have any questions or comments feel free to contact me at jeremy [at] sudosecure [dot] net anytime.

Looks like the Strom Worm authors are at it again, but this time with a repeating theme much like the valentines day theme we saw a few months ago. This time their is no automated downloads, nor is there any Javascript. The page is actually very simple take a look for yourself:

I guess with no major holidays on the horizon and the success rate the Storm Worm authors saw with the "love" theme they decided to revisit it. Here is a snapshot of the current page source:

So as you can see there are now only two binaries being advertised "love.exe" and "withlove.exe". I submitted "withlove.exe" to VirusTotal for analysis and well only 2/32 AntiVirus applications were able to even call the file suspicious. Here is a link to my results: VirusTotal Results. My Storm Worm Binary tracker first caught the change at 13:33 central standard time, so I guess the lack of detection can be expected. I also sacrificed one of my lab machines to see if anything had changed. Looks like the "aromis.exe" and "aromis.config" files are still being stuck into the C:\windows directory, so nothing new there. I was able to obtain a list of 907 IPs in the peer list. Here is a copy of the list: Storm Worm Peer List (Temporarily removed as I think I messed something up here during my analysis). Well as always if you have any questions regarding this posting or anything else feel free to contact me at jeremy [at] sudosecure [dot] net. Have a great weekend!

UPDATE:
Sorry for the confusion with the Peer List. My script that parses the Storm Worm config file had an error in it... OPPS Anyways I have since fixed the error and ran it again on a newly infected box in my lab. I only got 710 IPs this time, but hey at least it worked this time. Here is the list I have now: Storm Worm withlove Peer List. I do not guarentee this information as 100% accurate and if your IP is listed and you would like it removed feel free to contact me at jeremy [at] sudosecure [dot] net. I may post the Perl script I use to parse the file at a later date, once I clean it up and make it a little more user freindly... No promises though!

Looks like the authors of the Storm Worm are up to no good again, and this Aprils Fools day may cause users a prank that will keep system administrators working overtime. This time I believe there is only one image being display unlike the Valentine releases. The image is of a Goofy looking Jester with a strategically placed Post It note with the message "Kick Me Hard" on his butt. Take a look for yourself, as it is a fairly creative image:

New web page is hosting 3 binary files kickme.exe, foolsday.exe, and funny.exe. Nothing new here in the source code:

Using a meta tag to cause the funny.exe to be automatically downloaded after 5 seconds is nothing new and we saw this with the last version of the Storm Worm. Even though all three binaries are titled different I didn't find any differences with there characteristics. I haven't ran this version in my sandnet yet for a full anaysis, but for a quick analysis I submitted this to the ThreatExperts and the Anubis sandnets. They are both really quick and dirty ways to get an overview for suspicious binaries, and I tend to use them quite a bit. Here is a link to both of them: Anubis Storm Worm Results and ThreatExperts Storm Worm Results . The Anubis results this time seem to give us a better picture to the nastiness the Storm Worm has to offer. It extracts and installs a binary titled "aromis.exe" and uses a configuration file titled "aromis.config" c:\windows directory to join the bot net. I am not seeing any driver modifications as we have seen in the past, but with netsh being used I would guess a default rule is being added to the windows firewall to allow the bot out. Since this version of the Malware isn't hiding itself with a root kit it should be fairly easy to identify and remove from infected computers. With that being said it doesn't look like many of the major Antivirus companies are on top of it yet Virustotal Storm Worm Results, so until they are all up to speed I would suggest using the Emerging Threats Snort rules to get an idea on who may be infected with SIDS: 200877, 200878, and 200879. I really dislike signatures that match individual binary names, but in this case I would make an exemption. I have had some success in the past with SIDS: 2007701, and 2007702, so a good indication would be the generic binary name match followed by these two older signatures matching.

Looks like this new campaign started around 10:48 Central Standard Time today, according to my Storm Binary Tracker as this was the first time it was able to retrieve the kickme.exe. With that note I have almost reached the 2,000 mark for binaries harvested, Yipie!!! By the looks of my Spam filters for the email servers I have eyes on I would say I may be able to reach way beyond the 2,000 mark and I must ask the question will anyone ever put an end to this Bot Net, as it has ran free for over a year now.

"ibank-halifax.com" the domain name in which the Storm Worm has been utilizing since early January looks like it is now having some technical difficulties/issues or nic.ru has finally taken action against the Storm Worm domain. Here is a snippet from my whois request:

Domain Name: IBANK-HALIFAX.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: No nameserver
Status: clientHold
Status: clientTransferProhibited
Updated Date: 18-mar-2008
Creation Date: 08-jan-2008
Expiration Date: 08-jan-2009

Notice the "No nameserver" and Status entries. Here is another whois record from whois.domaintools.com:

Domain name: IBANK-HALIFAX.COM
Creation Date: 2008.01.09
Updated Date: 2008.01.09
Expiration Date: 2009.01.09

Status: NOT DELEGATED

Registrant ID: A4DDYNG-RU
Registrant Name: Nelly B Smith
Registrant Organization: Nelly B Smith
Registrant Street1: TRINITY ROAD, GB
Registrant City: London
Registrant State: UK
Registrant Postal Code: 65412
Registrant Country: GB

Administrative, Technical Contact
Contact ID: A4DDYNG-RU
Contact Name: Nelly B Smith
Contact Organization: Nelly B Smith
Contact Street1: TRINITY ROAD, GB
Contact City: London
Contact State: UK
Contact Postal Code: 65412
Contact Country: GB
Contact Phone: +1 800 3121812
Contact E-mail:

Status: NOT DELEGATED, so again it looks like we may have a few hours of peace and quiet from the Storm Worm... My bet is we will see an Easter Themed domain name next along with hundreds of "happyeaster.exe" cards in our email very soon! Maybe even the first three images returned from a simple Google search for"happy easter" will decorate the web sites.

Who knows?