Another lab run of the Storm Worm last night I captured 7,341 emails of which there were 31 unique Subject lines, 5 distinct email addresses in select message bodies, and 105 unique IP address direct links. The majority of last nights spam lab run contained the current theme of a disaster in China affecting the Olympic games in Beijing . Nothing new there, but I did find 1,144 messages which contained the following style of message:

Hello, my friend.

Do you want to buy any stuff: any kind of pills, oem software, cool porn?
Just mail me back, i’ll find the best offer for you.

Of these 1,144 messages containing this unique message I was able to extract 5 different individual email addresses:

• cstygstra@gmail.com
• removed (19 September 2009)
• infrared35@gmail.com
• jim@tegelaar.com
• wagz_is_god@yahoo.com

I Googled all of these email addresses to see if possibly the Storm Worm Authors were raining some spam to these targeted emails, as this was my first thought, but found that these email addresses returned no results except for wagz_is_god@yahoo.com. I found a post from a user calling himself “wagzisgod” from 2004 about maintaining a traders list on spawn.com. The Google cached page can be seen here: Spawn.com Message Board post. So I don’t think this a malicious attack against the email addresses listed above, but more likely a way of trying to identify active email addresses maintained in their current harvest lists. I sent an email using a newly created account and have yet to receive any response regarding my staged request for more information regarding the availability of the products in the spam message. I really didn’t expect to receive a response, but this was more of an attempt to monitor spam generated from the Storm Worm, as this newly created email has only been used once making it perfect for tracking the Storm Spam if it works the way I hope it does. Only time will tell.

Here are the logs from last nights spam run in my lab for your own analysis: Full SMTP log, Unique IPs for Storm Web Servers in Spam Log, and Storm P2P Peer list.

With all of the know Storm Worm domain names temporarily not resolving, due to the Storm Worm designated name servers not responding to A record requests, the authors have reverted back to spamming direct IP links to our mail boxes. The main Storm Worm domain name servers I am aware of are:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com
• ns.verynicebank.com
• ns2.verynicebank.com
• ns3.verynicebank.com
• ns4.verynicebank.com
• ns5.verynicebank.com
• ns6.verynicebank.com

I captured 1,014 spam messages in my lab this afternoon during a short run just to check on things. Of the 1,014 spam messages there were only 47 unique IP addresses and only 30 unique Subject lines. Here are two text files with the data: spam_ips.txt and spam_subjects.txt. As you can see the spam messages relate with the Storm Web server theme of a disaster in China and the 2008 Olympic Games in Beijing.

Another note of interest in my fake SMTP server logs is the User Agent for the spam messages seems to only ever be one of two different unique User Agents either “Thunderbird 2.0.0.6 (Windows/20070728)” or “Thunderbird 1.5.0.13 (Windows/20070809)”. I can’t believe I missed this, but after revisiting several of my old SMTP log files I have found this to be a common pattern for almost a month now. These both seem to be legitimate User Agents via my Google search results, but since they are old Thunderbird mail clients it may be worth looking into possibly writing a snort signature for something like this. I was thinking about testing the waters to see what I come up with in the next few days. If any of you run a mail server I would definitely be interested in hearing your opinion on how popular these User Agents are. Here is my full SMTP log for this afternoon’s run: smtplogs.txt

To sum this short post up here is the usual Storm Peering IP list extracted from the configuration file: peers2.txt and my Virus Total results for the binary files: beijing.exe and msvupdater.exe.

Looks like the authors of the Storm Worm have decided to revisit the usage of exploits along with their normal Social Engineering techniques by including an iframe within their current web page. The current Storm Worm web page uses an earthquake message as it’s attempt at social engineering unsuspecting users into downloading a video file, which of course is the Storm Worm. Here is the message the Storm authors are currently presenting to users:

A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either “Open” or “Run”.

Combining the upcoming Olympic games starting in ~49 days and a natural disaster looks like it may be a new theme that numerous Malware authors will begin to utilize, as current events and disasters always seem to attract a large crowd. I know we started seeing the Olympic games themed Malware several months ago, but now with the Storm Worm authors using it and the start of the games approaching it is my opinion we will see a quadratic rise in the amount of Malware, Phishing sites, and Social Engineering attempts tailored to the unsuspecting followers of the games.

The actual look and feel of this new page is simple and light. Here is an image of the current page:

Video themes also seem to be the standard approach for the Storm Worm authors, so I really was not surprised to see another one being used.

The source code for this page is where we will find the interesting and new obfusticated scripts used to execute multiple exploits tailored to your browser. Here is a snapshot of the source code for the index page:

Obviously if you click the image you will download the “beijing.exe” binary file, which is the Storm Worm Trojan. The interesting piece of code on this page is the iframe for including the “ind.php” file. This “ind.php” file is nothing new to the Storm Worm, as this file name has been utilized in the past Storm Worm exploit attempts and doesn’t seem to be going away anytime soon. The contents of the “ind.php” file has changed and is a little harder to deobfusticate. It took me three runs through the file to deobfusticate and analysis this file. The exploit attempts in the “ind.php” file do not appear to be anything new, so I won’t bore you with it’s details other than stating everyone should keep all of their software applications up to date and patched. The binary downloaded inside the “ind.php” file is titled: “load.php?bof”.

I ran the “load.php?bof” and “beijing.exe” through VirusTotal and here are the results: “load.php?bof” and “beijing.exe“. The identification results were less than 50% for both binaries, so I would highly suggest you continue to block the know active Storm Worm domain names with DNS blackholing, content filters, and/or proxy filters. Here is a list of the current malicious Storm Worm Domain names hosting the Trojan binary using the theme discussed in this post:

• grupogaleria.cn
• activeware.cn
• cadeaux-avenue.cn
• polkerdesign.cn
• biztech-co.cn
• ratedhot.cn
• pacoast.cn
• fconnorlaw.cn
• tellicolakerealty.cn

I also ran the “load.php?bof” binary in my lab to get a quick look at the spam being sent out by this run, as it seems to be changing topics a little faster than normal with the recent penny stock emails and then back to Canadian pharmaceuticals. I captured 684 spam emails during this short lab run. The oddity with this run was I only identified one domain name being utilized in the data section of the email: “usualprocess.com” and of course the Storm Worm spam was applying a random subdomain name to this domain name. Here is all of the subdomain names I saw during my short run: smtp_log. Another thing I noticed was the name servers for the “usualprocess.com” were not only rotating IP addresses as they always do using a fast flux approach, but the name server domain names were being rotated as well. Here is a list of the name server domain names I saw in my queries:

• ns0.tenshinohane.com
• ns0.forgottensin.com
• ns0.toptenslist.com
• ns0.torstenstv.com

Obviously this is another attempt to keep the links being sent out in emails available. Using passive DNS analysis I was able to identify the following domains as active domain names being severed up by the above name servers, and this list may possibly be a few more domain names worthy of blocking:

• boywhole.com
• metalmorning.com
• oftendollar.com
• describeenter.com
• industryexpect.com
• meanquiet.com
• yetresult.com

The last thing I noted was this binary installed itself in the %WinDir% as “msvupdater.exe” with a peer file in this same directory titled “msvupdater.config”. Here is the 830 peer IP addresses I extracted: peers.txt.

Tonights Storm Worm spam was made up of the same old Canadian Pharmaceutical material they were pushing out before the Angstrom Microsystems unauthorized stock spam campaign. The unique domains I extracted from the spam messages were:

• describeenter.com
• industryexpect.com
• meanquiet.com
• oftendollar.com
• yetresult.com

All of these domains are fast flux domains resolving to 20 different IP addresses per query that seem to rotate on a set schedule of every 2 minutes. There is no telling how many total IP addresses, but I am sure it is a lot. If you have DNS blackholing capabilities, content filters, and/or spam filters I would update them now with these domain names.

Another note of interest regarding this spam is wild card sub domains are being used in all of the spam messages I captured. Here is a list of the unique sub domains: sub domains list. This Canadian Pharmacy website does not seem to change much in it’s presentation and the following logo seems to be constant.

The only new option I identified in looking at this site during this analysis was the option to submit your Instant Messenger information when trying to contact them. Just another way to collect user data in which they can use as a spam mechanism is my guess. Here is what the current form looks like:

This may not be a new, but it is the first time I noticed it. Another note of interest is they seem to take a wide variety of payment types as seen here.

As always if you have any questions or comments feel free to contact me.

Looks like the authors of the Storm Worm spamming bot have moved on from Canadian Pharmaceuticals to giving financial advice. While running the Storm Worm in my lab and allowing it to beat up my fake SMTP server I captured 2,379 spam messages. Of these there were only 130 unique subject lines, which can be seen here: subjects. As you can see all of the subjects pertain to motivating someone to go out and buy penny stocks. Various misspelled messages were seen such as this one:

d_ n’t w e preidct it?

Busienss Name: Ans-gtrom Microsytsems
Ticker: agms.ob
Outlook: Storng Purchase
Marekt prcie: .4 00
Shaers- traded: 331,485-

Now that- the news it o’ut, vol.um e is thorugh __the roof.

Mroe events will un’fo”l d , clien’ts are seeing the need for these
prodcuts A GMS. can be your ticket.,

The window” is still open,’ obtain this stock early Te’u sday.

This definitely is not the Storm Worm Authors most professional looking work, and is actually very sloppy compared to past spam campaigns. Here is a copy of my full log: smtp log

Another oddity in this move for pushing penny stocks, is the company being represented in these spam messages does not appear to be willing participants in the spam campaign. Searching Google, I found several references to these spam messages and actually found this particular article interesting: marketwatch.com article. Angstrom Microsystems appears to be searching out the people and/or organization behind these spam messages, so I have sent them an email describing my findings and wish them the best of luck with doing what many others would like to do and catch the Storm Worm Authors. Maybe with the help of the US Securities and Exchange Commission they will grow closer to being able to prosecute at least someone from the Russian Business Network. I wouldn’t get my hopes up though.

The binary I used in my testing was the “loveyou.exe” binary being hosted by numerous Storm Web Servers. Once ran it creates another binary named “msoupdater.exe” in the “%WinDir%” along with a list of peers of other storm worm bots titled “msoupdater.config”. Some good news about this version of the Storm Worm is it is being detected by Antivirus software fairly well. VirusTotal Results: loveyou.exe and msoupdater.exe. Here are the 903 peers I extracted from the msoupdater.config file: peers.txt.

On another note, sorry for my lack of posting lately as I have been on vacation and enjoying summer. As always if you have any questions or comments feel free contact me.