All of the Domain Names I published a few weeks ago in a article titled “Storm Worm gone Domain registrant happy again!” have now been taken offline, and are no longer resolving to Storm Worm web servers. I noticed “loveinlive.cn” stopped resolving earlier this week, but I just haven’t had enough time in the day to publish it. This is definitely good news for all of us in this seemingly never ending cycle of Storm Worm trickery providing us with the constant reminder the Storm Worm is still around.

Recently many security professionals and security companies have begun to downplay the presence and size of the Storm Worm Bot network due to new and/or old (depending on who you ask) bot networks such as Kraken or Bobax , Srizbi, RUSTOCK, Cutwail, and Grum. This could be a sign of hope that just maybe this trend of a shrinking in size Storm Worm botnet will continue.

A humorous article published by Gregg Keizer from Compterworld titled “Microsoft: We took out Storm botnet” has sparked some interesting conversations in the security community. With Jimmy Kuo making statements like “it was the hammering Microsoft gave the Storm botnet that sent the hackers packing” and “Even though they were able to maintain parts of their botnet, they knew they were in our gun sights. And ultimately they gave up” it would seem Jimmy is very passionate about declaring Microsoft the sole winner in this war and leaves us with the impression it was the quick and precise workings of the Malicious Software Removal Tool (MSRT) that sent the Storm Worm authors packing. Did I mention I thought this article was humorous? I don’t like throwing rocks normally, but is there something in the water in Redmond that breeds this type of thinking? We all know the Storm Worm has driven numerous security professionals, companies, and even “Microsoft” a bit crazy since it was first discovered in January of 2007, but to insinuate you and your company alone drove the Storm Worm authors packing swiftly and effectively by deploying a removal tool 9 months later is down right distasteful in my personal opinion. What about giving some of the credit to Security professionals such as Joe Stewart who published detailed information regarding the Storm Worm in his February 8, 2007 article “Storm Worm DDoS Attack” or even the recent detailed case study from the University of Mannheim titled “Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm” in which they disclosed a detailed report of how the infiltrated and analyzed the Storm Worm Bot network infrastructure up close and personal.

I was very pleased to read a follow up article published by Gregg Keizer from Computerworld just two days later titled “Microsoft didn’t crush Storm, counter researchers“. I don’t agree with everything stated in this article, but I do 100% agree with Paul Ferguson’s statement “Storm is not down and out”.

Just a short update it looks like Registrar: Xiamen ChinaSource Internet Service Co., Ltd. has taken a few more Storm Worm domain names offline. limpodrift.cn, gasperoblue.cn, gribontruck.cn, giftapplys.cn, and biggetonething.cn are all returning “NXDOMAIN” when I perform a nslookup for them, so Xiamen ChinaSource Internet Service Co. only needs to take action on the last domain name registered through them loveinlive.cn. I am not sure why they didn’t take action against all of them, but at least they are taken some type of action against them.

Looks like two of the recently utilized Storm Worm domain names have been placed in a hold status by the Registrar: Xiamen ChinaSource Internet Service Co., Ltd. “newoneforyou.cn” and “thingforyoutoo.cn” and are no longer resolving fast flux IP addresses. Oddly enough the other six domain names being maintained by this registrar are still active. I would have thought if Xiamen acted on one of the domain names they would have acted on all of them, I guess they need more information regarding these domains before they can make a decision on shutting them down…

Another note of interest: limpodrift.cn, gasperoblue.cn, loveinlive.cn, gribontruck.cn, giftapplys.cn, and biggetonething.cn are all pointing their DNS requests to orthelike.com name servers. So if the Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. took action soon they could potentially strike a large blow to the current Storm Worm Domain names being used, well until the authors created new name server records.

With all that being said, these new domain names have recently pushed me just over the 100,000 mark for total archived IP addresses indexed by my Storm IP tracking scripts. Note this doesn’t mean there are over 100,000 different hosts, as some of these hosts are on DHCP networks, and obviously their IPs could have changed while I was tracking them. The only IPs I am 100% sure are associated with the Storm Worm are the one’s you can find in my Storm Worm Binary Tracker and the IPs I have extracted directly from the Storm Worm configuration files with my Storm Worm config file parsing script.

I was recently introduced to UploadMalware.com, which is a site made up of several security professional volunteers. They actively accept your Malware binary submissions and submit them to several Antivirus companies to help in speeding up the process of identifying, classifying, and the development of Malware signatures, which may I say benefits everyone. You can find a list of vendors they work with here: Vendors. In support of what these volunteers are attempting to do I have created a small Perl script that will allow anyone to submit suspicious binaries to their site without having to use the web interface. I have included all of the options available to you via their web form. All options except for the binary file are optional when submitting binaries to them, but I would encourage you to provide as much information as possible. They also offer an IRC channel where many of these professionals can be found hanging out willing to talk with you about your submissions or anything else Malware and/or Security related. You can find their channel “#uploadmalware” on the WyldRyde IRC Network, or use their instant chat web client located on their website.

If you have a honeypot or harvest Malware, may I suggest using this script to automatically submit binaries by creating a cron job or writing a small wrapper script. Just a suggestion.

Here is a link to the script I created: uploadmalware_submit_pl. As always if you have any issues with this script or find any bugs feel free to contact me anytime.

Ok, I finally had a chance to go through the obfusticated JavaScript and thought I would publish my findings to you all. I figured it would be better for me to just start a new post than continue to update the last one, as even I was getting confused. First off it isn’t new for the Storm Worm to use obfusticated JavaScript in exploiting Windows boxes that have not been patched. It has just been several months since the authors utilized this tactic to infect new hosts, as I believe it was in October of last year the Storm Worm authors were using the MS06-14 vulnerability to infect unpatched computers.

Now when you visit the Storm Worm Web pages you will be hit with 2 different exploit attempts. The first one is hosted in the index file and it looks like this: Storm Exploit Entry Page. Now this is clearly an exploit attempt against the MS06-14 vulnerability published April of 2006. If the exploit works you will receive the “load.exe” file renamed as “win.exe” and it will be executed.

The second exploit is hosted in the flow.php file and it looks like this: Flow_php File. This is clearly another attempt to exploit an old vulnerability in Internet Explorer: MS05-052.

I haven’t sacrificed a lab machine yet to see what happens after the infection, but here are my results from a few online sandboxes and virus scanners: VirusTotal Results ThreatExpert Results

As you can see the Antivirus Companies are struggling to keep up with the Storm Worm with only (6/32) flagging this last submission as Malware. I was actually a little shocked to see Symantec on top of this binary already, good job! Looking at the ThreatExpert results it looks as though the stored binary and configuration file have changed names once again to kavir.exe and nivavir.config, which are still stored in the C:\windows directory. The best recommendation I can give to anyone in trying to prevent this from infecting their computers is to patch your boxes…

I am still waiting for the results from CWsandbox and Anubis, if I get anything interesting back from their analysis I will update this posting.

I just now caught the Storm Worm web pages using obfusticated JavaScript to identify your Operating System by searching your UserAgent. If the exploit doesn’t work you will be directed to the old Storm Codec page mentioned in my last post, where you can still download the Storm Worm manually. I have not completely deobfusticated it as of yet, but here is a copy of the code I am chomping away at now: storm_codec_javascript . Initially it looks like they are using the MS06-14 Microsoft Data Access Components (MDAC) vulnerability to download “load.exe”. I submitted load.exe to VirusTotal and here are the results: Load.exe Results. As you can see (13/31) there is not a lot of coverage from the Antivirus Companies right now.

So it does in fact look as though the Storm Worm authors were up to something new after all. More to follow when I have a chance to work with this code some more.

UPDATE: I just started working on the “flow.php” file and was able to identify it is trying to use the vulnerability addressed in MS05-052. Here is the clsid I was able to extract: “EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F” from the attempted exploit… Again more to come, but I need to stop now and head into work….

UPDATE 2: I changed the JavaScript text file to a PDF, as I have gotten a few emails from people about their Antivirus software alerting on it…  I didn’t think a text file would execute the JavaScript.  Sorry about that!  Here is the new link: storm_codec_javascript

Shaun from the Australian Honeynet Project sent me a few more domain names being used the the Storm Worm authors this morning, thanks Shaun! The following is a list of domain names being utilized by the Storm Worm right now:

1. orthelike.com – Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
2. limpodrift.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
3. gasperoblue.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
4. thingforyoutoo.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
5. loveinlive.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
6. gribontruck.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
7. giftapplys.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
8. biggetonething.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
9. newoneforyou.cn – Registrar: Xiamen ChinaSource Internet Service Co., Ltd.
10. supersameas.com – Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
11. boardhour.com – Registrar: XIN NET TECHNOLOGY CORPORATION

I have not seen this many domain names being utilized since the recent Christmas run a few months ago, could there be something new or big in store for us real soon?

Another really odd thing I just noticed is the constant changing of the Storm Worm binary is not occurring as of right now. My Storm Worm binary tracker has shown only one MD5 hash “e773e92fef7288faa63d79d497bded91″ for all of the binaries retreived since authors changed the binary names to: StormCodec.exe and StormCodec8.exe. I doubt very seriously this was caused due to them breaking/misconfiguring their bot network. So this recent joke of “Storm Codec” may just be a temporary stalling technique used to keep us busy while the authors rework the binary. I say this because, I found it very odd the recent binary distributed didn’t try to hide itself at all, and although Antivirus companies struggled to publish a signature for the last binary in a timely manor, users could easily detect an infected box by simply looking for the configuration file and/or binary in the C:\windows directory. Also note the new names being used for these files are now: kaglor.config (peer config file) and liibr.exe (current Trojan binary) which are still found in the C:\Windows directory.

Well I must say I about died laughing this afternoon when I discovered the Storm Worm authors decided to publish their Malware Codec under the alias Storm Codec. One thing no one can deny about the Storm Worm authors is they definitely have a sense of humor. As always here is a screen shot of their newest web page:

So as you can see they are offering unsuspecting visitors the newest Storm Worm Trojan as a Media Codec. Almost takes me back to when they were offering the video.exe codec for youtube. Nothing really new in the web page source code either:

I am actually really surprised we haven’t seen any new JavaScript obfuscation being used, with all the other major Malware distributors doing it making obfuscated code the “happening thing”. I know that a few months ago they were using the unescape function, but nothing since then.

Another note of interest shared with me today via Steven from SecurityZone.org and Shaun the Founder of the Australian Honeynet project is that there is now two new domain names for the Storm Worm: supersameas.com and boardhour.com. Steven also noted that superdrugtesting.com was taken offline earlier this morning. The registrar for supersameas.com is “BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN” and the registrar for boardhour.com is “XIN NET TECHNOLOGY CORPORATION”. With all that being said I must applaud registrar “todaynic.com”, as they acted really quickly in getting superdrugtesting.com offline. I guess the authors of the Storm Worm made a small mistake registering with a legit Chinese registrar. If all registrars acted that quickly, I would definitely have to come up with a new way to track the Storm Worm web hosts.

One last note of interest Matt Jonkman the founder of Emerging Threats is on top of these changes as always with the two new current event snort signatures sid:2008111 and 2008112. I would suggest running these rules along with DNS blackholing supersameas.com and boardhour.com, as I am sure there will me more blogspot redirections in the coming days. I have not seen any of the reported spam using the new domain names as of yet, but that doesn’t necessarily mean that it isn’t out there already.

After talking it over with a few colleagues and friends I have decided to release the script I utilize to extract the peer IP addresses and ports from the Storm Worm ini/config file, as I think it may benefit others. The current configuration file for the Storm Worm is “aromis.config” and it holds the IPs for bot peers the infected computer can communicate with. This will not be the entire list of IPs infected with the Storm Worm, as the Storm Worm breaks it’s bot networks up into small sub-network like structures. This is why it has been so hard for Security Professionals to combat the worm, and gather an accurate number of hosts infected with this worm.

Something to consider before using script is I can not guarantee it to work on new configuration files, as the authors of the Storm Worm could change this file at any given time. If they do decide to modify the configuration file structure I may or may not decide to update the script to reflect these changes. I think once you see how simple it is, you may just want to update it yourself. I am not a professional programmer nor a Perl guru, so if you find anything insane in the code I welcome your fixes and/or improvements.

With all that being said run it at your own risk as I provide no warranty! Well here you go: storm_config_decoder_pl. The output from this script is very simple “ip address:port” for example “192.168.0.1:1234″ with the last line of output telling you exactly how many unique ip addresses it was able to identify. Oh, I almost forgot to mention it can parse multiple files just use the “*” as a wildcard character or specify the files with a space between them. This option has been very useful to me in combining the configuration files from several different infections over a period of time such as the last 24 hours. Try it as you may get some intresting results

As always if you have any questions or comments regarding this post or script feel free to contact me at anytime at jeremy [at] sudosecure [dot] net. Enjoy!

The last active domain name “ibank-halifax.com” was deactivated around March 18th making it a little harder for me to track new Storm Worm Binary hosting web servers and really slowing down my binary harvesting… Which I may add wouldn’t bother me a bit if they were just shut down and I could move on to something else, but instead they have registered a new domain name for their fast flux network “superdrugtesting.com” with the Registrar: TODAYNIC.COM, INC. Here is a look at the current whois record:

Now take a look at the registrant information, which might I add is obviously fake:

I could be wrong, but I don’t think an informative email to “coldercolder55@yahoo.com” is going to get much response in trying to get this new domain name taken offline. One change I noticed was the authors have now moved from the Russian registrar “nic.ru” to the Chinese registrar “todaynic.com”. I hope they didn’t move to another country registrar as an attempt to through investigators off, as it has become well known the authors reside in St. Petersburg, Russia. If you haven’t read the article by Brian Krebs from the Washington Post take a look at it: Wishing an (Un)Happy Birthday to the Storm Worm. This article didn’t seem to get much press coverage, so some of you may not have seen it.

If you have DNS blackholing capabilities, content filtering devices, and/or spam filters I would suggest adding the “superdrugtesting.com” domain name to them at this time. As always if you have any questions or comments feel free to contact me at jeremy [at] sudosecure [dot] net anytime.