Looks like the authors of the Storm Worm are up to no good again, and this Aprils Fools day may cause users a prank that will keep system administrators working overtime. This time I believe there is only one image being display unlike the Valentine releases. The image is of a Goofy looking Jester with a strategically placed Post It note with the message "Kick Me Hard" on his butt. Take a look for yourself, as it is a fairly creative image:

New web page is hosting 3 binary files kickme.exe, foolsday.exe, and funny.exe. Nothing new here in the source code:

Using a meta tag to cause the funny.exe to be automatically downloaded after 5 seconds is nothing new and we saw this with the last version of the Storm Worm. Even though all three binaries are titled different I didn't find any differences with there characteristics. I haven't ran this version in my sandnet yet for a full anaysis, but for a quick analysis I submitted this to the ThreatExperts and the Anubis sandnets. They are both really quick and dirty ways to get an overview for suspicious binaries, and I tend to use them quite a bit. Here is a link to both of them: Anubis Storm Worm Results and ThreatExperts Storm Worm Results . The Anubis results this time seem to give us a better picture to the nastiness the Storm Worm has to offer. It extracts and installs a binary titled "aromis.exe" and uses a configuration file titled "aromis.config" c:\windows directory to join the bot net. I am not seeing any driver modifications as we have seen in the past, but with netsh being used I would guess a default rule is being added to the windows firewall to allow the bot out. Since this version of the Malware isn't hiding itself with a root kit it should be fairly easy to identify and remove from infected computers. With that being said it doesn't look like many of the major Antivirus companies are on top of it yet Virustotal Storm Worm Results, so until they are all up to speed I would suggest using the Emerging Threats Snort rules to get an idea on who may be infected with SIDS: 200877, 200878, and 200879. I really dislike signatures that match individual binary names, but in this case I would make an exemption. I have had some success in the past with SIDS: 2007701, and 2007702, so a good indication would be the generic binary name match followed by these two older signatures matching.

Looks like this new campaign started around 10:48 Central Standard Time today, according to my Storm Binary Tracker as this was the first time it was able to retrieve the kickme.exe. With that note I have almost reached the 2,000 mark for binaries harvested, Yipie!!! By the looks of my Spam filters for the email servers I have eyes on I would say I may be able to reach way beyond the 2,000 mark and I must ask the question will anyone ever put an end to this Bot Net, as it has ran free for over a year now.

"ibank-halifax.com" the domain name in which the Storm Worm has been utilizing since early January looks like it is now having some technical difficulties/issues or nic.ru has finally taken action against the Storm Worm domain. Here is a snippet from my whois request:

Domain Name: IBANK-HALIFAX.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: No nameserver
Status: clientHold
Status: clientTransferProhibited
Updated Date: 18-mar-2008
Creation Date: 08-jan-2008
Expiration Date: 08-jan-2009

Notice the "No nameserver" and Status entries. Here is another whois record from whois.domaintools.com:

Domain name: IBANK-HALIFAX.COM
Creation Date: 2008.01.09
Updated Date: 2008.01.09
Expiration Date: 2009.01.09

Status: NOT DELEGATED

Registrant ID: A4DDYNG-RU
Registrant Name: Nelly B Smith
Registrant Organization: Nelly B Smith
Registrant Street1: TRINITY ROAD, GB
Registrant City: London
Registrant State: UK
Registrant Postal Code: 65412
Registrant Country: GB

Administrative, Technical Contact
Contact ID: A4DDYNG-RU
Contact Name: Nelly B Smith
Contact Organization: Nelly B Smith
Contact Street1: TRINITY ROAD, GB
Contact City: London
Contact State: UK
Contact Postal Code: 65412
Contact Country: GB
Contact Phone: +1 800 3121812
Contact E-mail:

Status: NOT DELEGATED, so again it looks like we may have a few hours of peace and quiet from the Storm Worm... My bet is we will see an Easter Themed domain name next along with hundreds of "happyeaster.exe" cards in our email very soon! Maybe even the first three images returned from a simple Google search for"happy easter" will decorate the web sites.

Who knows?

Danny Quist from Offensive Computing has just published an outstanding write up titled "Storm Worm Process Injection from the Windows Kernel". He lays out in very great detail the analysis steps he performed on the W32/StormWorm.gen1 to show the process injection method it utilizes to execute malicious code in user-space. I think his conclusion sums up his findings quite nicely:

"The methods used by storm worm represent the latest advances in malware. The kernel payload
method is a useful mechanism to subvert analysis and make reverse engineering more difficult. The
sophistication of evasion tactics is increasing and will require further innovation to be able to maintain
automated analysis techniques. In many cases traditional packers are being replaced with simpler
encoding techniques combined with more complicated subversion methods."

Danny Quist, Storm Worm Process Injection from the Windows Kernel, March 9th 2008

I don't want ruin the write up by regurgitating it here, and I also don't want to take anything from Danny's outstanding work, so go give it a read as I am sure you will enjoy it.

I just added a search by IP feature to the Storm Binary Tracker page after talking with the guys over at Malware Domain List . If your unfamiliar with this site you really ought to go give it a serious look over as they house some really good information for anyone interested in malware and malware analysis. Boban Spasic aka Bobby, the creator of Malzilla posts there regularly about updates for his tool, and I even read in some of the forums where he was taking ideas from posters to better his tool. If your unfamiliar with Malzilla, it is one awesome tool for exploring malicious websites and you should really give it a try. When I first started trying to explore and deobfusticate malicious web pages I would use a large mixture of tools such as wget, SpiderMonkey (JavaScript Engine), miscellaneous bash tools, and a whole lot of custom Perl scripts that would do conversions for me, but now I pretty much only ever use those tools when I can't get Malzilla to do it for me, which might I add has almost never happened since I started using it. What prevented me from using it at first is it is a Windows only application and I run Linux on most of my computers. Once I figured out how to get it to work in Wine (the Windows API for Linux), which again may I add was as simple as sucking the package down and executing it with Wine, I haven't looked back since.

Early January or maybe even late December I started tracking the Storm Worm with a Perl script I created that would go out and grab the current binary and store it locally for me. Just recently I decided to start this website and well my first real content addition is a web interface I titled "Storm Binary Tracker" which gives the world access to some of the Storm Worm binary information I have obtained. The scripts to do this are all fairly basic and I may release them at a later date, but right now they are full of bad code practices, so I really need to clean them up first.

My binary database is just a small portion of what I have been tracking and holds ~1,300 indexed binaries as of today. I have also been tracking the unique IP addresses associated with Storm Worm web servers found through DNS scripts querying the fast flux domain names and have collected ~65,000 as of today as well. If you would like a copy of this second list just shoot me an email at jeremy [at] sudosecure.net and I would be happy to send it to you. I may also start hosting this file online at a future date, but as of right now you can only get it through email.

Well enough about the scripts and let me now tell you about some of the things I have learned about the Storm Worm. First the binaries do change very regularly as many others have noted, but one oddity in this is from February 12th around 21:00 Central Standard time till February 23rd around 19:00 Central Standard time the Storm Worm binary took on an almost dormant state. Maybe this was just by chance and my scripts found old servers during that time frame, but the binary name stayed "valentine.exe" and the MD5 hash stayed "d41d8cd98f00b204e9800998ecf8427e" the entire time. I remember thinking something must be wrong with my script, but I double checked several sites manually and had the same results. Another oddity I confirmed after reading about it on another site while analyzing the binary is the XOR encryption key used to encrypt the eDonkey bot traffic never changes.
This key value is "f3aa580e78de9b3715742c8fb341c550337a633de613df6c46cabe9a77489402c0f36649ee8721bb9b". Writing a simple script to just loop through a pcap file and decode it by XORing it against the key will leave you with plain old eDonkey protocol that you can then use wireshark to analysis if your interested. If you don't want to write the script just Google around you will find several people have published scripts to do this.

One characteristic that has held true through out the time frame I have been tracking this worm is it's hosting website trickery seems to work fairly well and changes often. I have seen it use all types of JavaScript trickery such as the unescape function to mask the binary name and just recently it is hosting three different titled binary files. They are ecard.exe which is downloaded automatically if after 5 seconds using a META tag in the header, e-card.exe which is downloadable through a standard hyperlink on the page titled "Click Here", and finally postcard.exe which is accessible by clicking the image on the page. The web page is very simple, and looks almost valid. Here is a snapshot of what the page currently looks like: