Running the Storm Worm tonight in my lab uncovered some new Storm Domain names to go along with the new "FBI vs Facebook" theme. Here is a list of these new domain names:

• BestValueNews.com
• CompanyNewsNetwork.com
• FedNewsWorld.com
• GoodNewsGames.com
• SmartNewsRadio.com
• StockLowNews.com
• ToplessDailyNews.com
• ToplessNewsRadio.com
• WapDailyNews.com

I would recommend going ahead and adding these domains to any blacklists or content filters you may have to keep your users from falling victim to the Storm Worm social engineering attempts. These domains were all extracted from Storm Worm generated spam. The following 41 unique subject lines pertaining to the new "FBI vs Facebook" theme were seen during this short lab run:

• F.B.I. Facebook Records
• F.B.I. Looks Into Facebook
• F.B.I. Watching Hezbollah in Facebook
• F.B.I. Watching Possible Terrorists on Facebook
• F.B.I. agents patrol Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• F.B.I. bypasses Facebook to nail you
• F.B.I. can watch our conversation through Facebook
• F.B.I. may strike Facebook
• F.B.I. on the Hunt for Facebook users
• F.B.I. tries to fight Facebook
• F.B.I. wants instant access to Facebook
• F.B.I. watching us
• F.B.I. watching you
• FBI Facebook Crime Survey
• FBI Facebook Records
• FBI Looks Into Facebook
• FBI Watching Hezbollah in Facebook
• FBI Watching Possible Terrorists on Facebook
• FBI agents patrol Facebook
• FBI are spying on your Facebook profiles
• FBI busts alleged Facebook
• FBI bypasses Facebook to nail you
• FBI can watch our conversation through Facebook
• FBI may strike Facebook
• FBI on the Hunt for Facebook users
• FBI tries to fight Facebook
• FBI wants instant access to Facebook
• FBI watching us
• FBI watching you
• Facebook Coming Under F.B.I. Scrutiny
• Facebook Coming Under FBI Scrutiny
• Facebook's F.B.I. ties
• Facebook's FBI ties
• Get Facebook's F.B.I. Files
• Get Facebook's FBI Files
• The F.B.I. has a new way of tracking Facebook
• The F.B.I.'s plan to "profile" Facebook
• The FBI has a new way of tracking Facebook
• The FBI's plan to "profile" Facebook

The message content for the above subjects are very simple and short. Here are a few of the unique message bodies I extracted from my faux smtp server logs: (NOTE: hxxp://stormdomain_name is my substitution for one of the Real Storm Worm domain names listed at the beginning of this post)

• F.B.I. Watching Hezbollah in Facebook hxxp://stormdomain_name
• F.B.I. on the Hunt for Facebook users hxxp://stormdomain_name
• FBI Looks Into Facebook hxxp://stormdomain_name
• FBI may strike Facebook hxxp://stormdomain_name
• FBI watching you hxxp://stormdomain_name
• Facebook's FBI ties hxxp://stormdomain_name
• The F.B.I.'s plan to "profile" Facebook hxxp://stormdomain_name

You can look at all 41 unique message content here: fbi_messages.txt.

This wasn't the only spam being pushed out of the Storm botnet, as I also caught the following 21 Domain Names being used to push pharmaceuticals from the Canadian Pharmacy:

• abilityhear.com
• allhipguide.eu
• besthiptop.eu
• brickautoship.eu
• compassionvery.com
• definitionwonder.com
• greathipx.eu
• hilllocate.com
• hipsurgeryonline.eu
• hiptoguide.eu
• hipworldhop.eu
• majorwrite.com
• rapsharp.eu
• realizationthere.com
• reciprocityby.com
• storeever.com
• trendyslick.eu
• werecourage.com
• wisdomby.com

Here are a few of the unique subject lines I extracted from the spam messages associated with the above domain names:

• 10 reasons to take enhancing medicaments.
• A small thing to make your woman happy.
• Agree to be sick! Noway!
• Bad health report? Consult us.
• Better living through Canadian chemists.
• Canadian doctors we trust.
• Canadina chemists help you save 90% on medical bills.
• Docs approve and recommend online Canadian Chemist.
• Excellent effect on your condition.
• In Canadian Chemist we trust.
• New products everyday, online chemists where you can find a good source foryour needs.
• Over 20000 products for health and beauty online.
• Summer is on the way, do not forget of all requred-tabs.
• The widest e-assrtment of medicaments.

All 560 unique subject lines can be seen here: spam_subjects.txt. I would recommend updating any of your spam filters to filter the above domains and if possible the above subject lines.

Another note of interest in regards to the Storm Botnet is it seems to be actively performing ICMP DDoS attacks again. During my lab run I saw the following 4 IP addresses being attacked:

• 62.189.182.xxx
• 74.192.224.xxx
• 79.41.125.xxx
• 201.214.13.xxx

These attacks seemed to be very short lived lasting ~20 minutes in comparison to some of the attacks that would last for hours and sometimes days from the Storm Botnet. My guess is these attacks were in retaliation to probes on the botnet or web crawlers indexing the botnet to aggressively. I have been on the receiving end of these attacks in the past. What I found to be the cause was being to aggressive at trying to probe the botnet or retrieve the binary files being hosted by the web proxies. So a word of warning/advice to all researchers and security analysts "be gentle" when dealing with this botnet or you too could come under attack.

A new Storm Campaign has been identified by my binary tracker this morning around 8am Central Standard Time. This new campaign is titled: “FBI vs Facebook” and is most likely another attempt at using current news events to trick users into installing the newest Storm Worm Trojan. I did a quick Google News search and found several headlines within the last two months relating to the FBI using Facebook to profile people, and also the US congress using FBI investigation findings to support a new Bill that will ban children from accessing Facebook and other social networking sites in public places such as libraries without parental supervision. The web page is very simple:

There is really only one interesting modification that has taken place with the release of this new theme which can be seen in the source code for the web page:

As you can see the “ind.php” is no longer being included as an iframe, so either the authors were not benefiting from the exploits being executed or it was simply an oversight mistake when they deployed this new theme. Either way it benefits us, as it is one last thing we have to worry about when a user visits this page.

The VirusTotal results regarding the new “fbi_facebook.exe” binary are not outstanding, but we have some identification for the Storm Worm Trojan: Result: 18/35 (51.43%)

I guess the Amero and the Domain Name outages just weren't working out for the Storm Authors, as they have shifted back to an old theme. The message is simple:

You've got an animated postcard from someone who loves you.
Click here to save the postcard.

Nothing new here as they have played the “love” theme before. The “ind.php” javascript obfusticated exploit serving file is still included as an iframe redirect, so be-aware of this. My only major concern with this new/revisited campaign is the new binary has a very little Antivirus Vendor detection rate: Result: 8/35 (22.86%). I have not seen any new domain names or spam associated with this change, but my guess is tonight when I take a deeper look at it in the lab I will be greeted with these changes.

Looks like my prediction on the Storm Worm authors changing their theme within the coming days has just been confirmed. The newest Storm Worm Social Engineering theme is “Currency Based”, focusing on on the financial strains/concerns many Americans are facing now. The message is simple and to the point:

The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

The adaption of a common currency named “Amero” for the North American Continent is not a new concept and does currently have some active supporters. Wikipedia has some solid information about the Amero here: North American currency union . Another interesting site I stumbled upon while looking for information on the “Amero” is “The Amero”, you can form your own opinion about the site.

Here is a current screen shot of the Storm Web page hosting up the newly named binaries:

This new Currency theme is only hosting one binary named: “amero.exe” and the same old javascript obfusticated exploit file “ind.php”, as you can see in the new webpage source code:

I have not seen any new spam pushing this new campaign yet, but I would suspect new spam and new Fast Flux domain names surfacing within the next 48 hours. I guess only time will tell.

This isn't the first time the authors of the Storm Worm Trojan used a rootkit to hide it's presence on user's computers, and frankly I was really shocked when they had stopped including this functionality several months ago. So low and behold today when I decided I would capture a little spam from the Storm Worm I was greeted with it not wanting to install and execute in sandboxie, which is a sandbox application that allows me to detect file system changes and other things fairly easily. I immediately checked the sandboxie file viewer which revealed two files being created: "glok+1cbe-49e9.sys" and "glok+serv.config" in the %WIN% directory. Nothing really new in creating the Storm binary and peer list files in the %WIN% directory, as this has always been the case for as long as I have been tracking the Storm Worm.

Since I could not get the Storm Worm to execute in sandboxie, I went ahead and let it infect my VM host without the protection mechanisms provided by sandboxie. Interesting enough I immediately saw network traffic going to my faux time server from the infected VM host, which is normal as well since the Storm Worm Trojan changes your NTP server to: time.windows.com to ensure it's hosts are synced. The only reason my infected host hit my faux NTP server is I use a faux DNS script as well to ensure all DNS queries resolve to my all-in-one faux server with multiple services being available to facilitate my Malware investigations safely. My infection was definitely confirmed when I started seeing the extremely aggressive amount of UDP packets the Storm Worm Trojan generates using the Overnet protocol to talk with it's peers.

My next step was to check the process explorer to see if I had any new processes running. This is when I began to expect a rootkit was involved, as I had no new processes executing according to the windows process explorer, tasklist, pstasklist, or the sysinternals process explorer. Next check was to look in the %WIN% directory to see if the two files were visible, and of course they were not. I tried using the dir command, and also looking at them through windows explorer. Now to confirm this was a rootkit I ran a few rootkit detection tools.

The first tool was RootkitRevealer, which had no problems identifying the rootkit files being hidden from the Windows API calls. Here is a screenshot of my results:

As the screenshot shows the Storm Worm authors have definitely reinitiated the rootkit functionality. Next I tried F-Secure's Blacklight rootkit tool, which identified the two Storm Worm Trojan Files as well.

I should also note that IceSword, and RKDetector2 were also successful at detecting the rootkit installed by the Storm Worm. Now that I have identified that the Storm Worm is actually installing a rootkit and it wasn't some sort of mistake on my part a more in depth analysis will need to be performed on the binary. That of course I will leave for another day. I should also note that the F-Secure Blacklight rootkit eliminator was successful at removing the Storm Worm's rootkit, which is good news if your a user or system administrator looking to get rid of this. Just remember to go back into the %WIN% directory after renaming the files with blacklight to delete the binary and configuration text file forever, as you don't want someone to come behind you and reinfect the computer. One last note about the binary is the Virus Total Results were 15/33 (45.46%), which is about average for detecting the Storm Worm Binary by the major AV companies.

Since this run was to take a peek at what the Storm Worm spam was doing here are the domain names I captured during this run:

• advancedcaremedical.eu
• americanmedicalguide.eu
• costappreciation.com
• dadreciprocity.com
• medicalhealthdeath.eu
• medicaljobsgroup.eu
• medicalworldinc.eu
• medicalworldlink.eu
• spiritualitycondition.com
• themedicalmarket.eu
• toldthere.com
• treefinal.com
• wellnesssurgical.eu
• womenmedicalcenter.eu

I couldn't get any of these pages to load when I tried tonight, but looking at the actual spam messages and subject lines I would assume these are Canadian Pharmaceutical websites, which makes up the majority of spam generated by the Storm Worm. Here are a few subject lines I found in the spam messages:

• Subject: 10 reasons to take enhancing medicaments.
• Subject: A better way to give up smoking.
• Subject: Ancient greeks used this to treat their male problems.
• Subject: Ancient greeks used this to treat their male problems.
• Subject: Bring more joy to your life, get a bluepill!
• Subject: GLobal potence ensurer!
• Subject: Have perfect health in an imperfect world.
• Subject: Join the biggest community of man that cured their male intimate problems
• Subject: No need to visit a doctor again to get medications you need.
• Subject: VPXL from Canadian Chemist. Your ultimate enhancing solution.
• Subject: Unbelievably healthy living, come to Canadian Chemists' site to claim it

Here is the complete list of unique subject lines I captured this afternoon: subjects_spam.txt.

With the return of the Storm Worm Rootkit functionality, the stagnated Military Theme, and over half of the current Storm Worm domain names being shutdown I would anticipate a new theme/campaign to be arriving in our spam folders within the coming days. This new run could possibly be worse than others with the added functionality of the rootkit and users dismissing a Storm Worm install, because they can not readily see the infection or process running. Good thing is, if your reading this you probably know better by now.

As always if you have any questions or comments in regards to my posting feel free to send me an email or post a comment. I am always glad to hear from you good or bad.

Looks like the Authors of the Storm Worm have started to spam out phishing emails to our inboxes, so be ready tomorrow morning to warn your users. The following domain names are being used as the phishing sites (caution as these are also malicious sites):

• accounts.digitallnsight.net/onlineserv/CM/
• digitalinsight.bankdata1.com/onlineserv/CM/
• digitalinsight.bankdata1.net/onlineserv/CM/
• digitalinsight.bankdatacentral.com/onlineserv/CM/
• digitalinsight.bankdatacentral.net/onlineserv/CM/
• digitalinsight.cmcenter.net/onlineserv/CM/
• digitalinsight.ebanking-network.com/onlineserv/CM/
• digitalinsight.secure-processor.net/onlineserv/CM/
• digitalinsight.secure-server3.com/onlineserv/CM/

These domains were all live links embedded in the body of the spam messages. Here is the actual spam message being sent:

Subject: Read carefully - Important Notification

Dear Administrator,

We inform you that your account is about to expire.
It is strongly recommended to update it immediately. Update form is located &<a href="hxxp://digitalinsight.bankdata1.com/onlineserv/CM/">here.
However, failure to confirm your records may result in account suspension.

Confidential: Please be advised that the information contained in this email
message, including all attached documents or files, is privileged and
confidential and is intended only for the use of the individual or individuals
addressed. Any other use, dissemination, distribution or copying of this
communication is strictly prohibited. This is the automated message. Please
don't reply.

Unlike most other spam phishing attempts this particular version is really well laid out and designed in such a way that I am sure many users will be fooled into visiting these sites. The actual phishing page looks like this:

This is a very basic looking page asking for the users Company ID, Company Password, User ID, and User Password. Also notice the notice in red tells the user to use their Financial Institution login page for future maintenance. I am guessing the notice is just an additional touch to aid in the Social Engineering going on here. All of this seems to be standard stuff, but wait there is an iframe reference that caught my eye right away. The iframe path is:

hxxp://xx.xx.xx.xx/cgi-bin/index2.cgi?lite

The IP is rotated with every query, so it isn't as simple as adding an IP block to protect your user base. This iframe leads to none other than some deeply obfusticated JavaScript code. I used Bobby's Malzilla tool for the deobfustication, which can be downloaded here: Malzilla. I highly recommend checking this tool out and if you like it throw Bobby a bone or two by donating to his project, as he has spent many hours adding the features upon request from the community.

Ok, back to the Phishing stuff, in this PDF you will find the complete deobfustication of this iframe redirection: badness_storm_phish. Now this really struck me as odd, but this script decodes exactly like the "ngg.js" SQL Injections flooding the internet right now. Even the binary is the same to include the selection if/else logic used in the code to choose your binary. So does this mean the Storm Worm Authors can now be traced over to some of the SQL injection stuff being tracked so well over at ShadowServer.org: Full list of Injected Sites. I can't confirm this trace back, but it is definitely the same obfustication being used by the "ngg.js" stuff. So either it is the same organization, or the SQL injection organization is now paying the Storm Worm authors to distribute Spam for them. Who really knows, as I am just guessing here. One other idea would be the SQL injections work on the phishing sites, but I really don't think that is the case here.

The binary being downloaded after all the iframe redirection badness occurs is fairly well detected by the mass majority of Antivirus companies, which is a good thing. Here is a link to my scan results: Result: 21/33 (63.64%). I didn't run the binary in my lab, but it looks like it is either a proxy bot or a spam bot according to the Virus Detection results.

The rest of the spam I captured tonight during this lab run involved the same old Canadian Pharmaceutical links, with the same old subject lines. Here is a list of the domains involved in that portion of the spam:

• advancedcaremedical.eu
• americanmedicalguide.eu
• childrenseparate.com
• happenhalf.com
• lottube.com
• maysection.com
• medicalhealthdeath.eu
• medicaljobsgroup.eu
• medicalworldinc.eu
• medicalworldlink.eu
• needcertain.com
• nowcarry.com
• prepaream.com
• themedicalmarket.eu
• thoughgrand.com
• valleyearth.com
• wellnesssurgical.eu
• womenmedicalcenter.eu
• yellowyear.com

Some of these domains are new to my lists, so if you don't have them in your blacklists or content filters I would add them now as well.

To finish out tonights post here is my entire Spam capture log for all of the above just in case your interested: smtplogs.txt. As always if you have questions or comments feel free to ping me anytime.

I ran the Storm Worm in my lab again tonight with no real surprising results to be found. It seems as though the Storm Worm authors are having issues keeping their Military theme going with Registrars taken action against their domain names. I saw no spam leaving the Storm Worm tonight pertaining to the domains related to their Web Servers hosting out malicious code and Storm Worm binaries. This is good news, but I believe this is just a short lived break as the Authors of the Storm Worm ramp up for their next campaign with new domain names and possibly modified theme. My guess is within the next few days or at the latest within a week we will see something new from them. The following domains seem to still be actively pointing towards Storm Worm web servers:

• cadeaux-avenue.cn (Registrar: BIZCN.COM, INC.)
• polkerdesign.cn (Registrar: BIZCN.COM, INC.)
• lovelifecash.com (Registrar: BIZCN.COM, INC.)
• bphostdomains.com (Registrar: BIZCN.COM, INC.)
• grupogaleria.cn (Registrar: BIZCN.COM, INC.)
• nationwide2u.cn (Registrar: BIZCN.COM, INC.)
• activeware.cn (Registrar: BIZCN.COM, INC.)

So as you can see "Registrar: BIZCN.COM, INC." seems to be very slow at reacting to requests to take action on the above domains. I can only hope their processes speed up and they too take action soon. Here are the current active Name Servers being used by the above domains:

• ns.bphostdomains.com
• ns2.bphostdomains.com
• ns3.bphostdomains.com
• ns4.bphostdomains.com
• ns5.bphostdomains.com
• ns6.bphostdomains.com
• ns2.verynicebank.com
• ns1.lollypopycandy.com
• ns2.lollypopycandy.com
• ns1.verynicebank.com
• ns3.likethisone1.com
• ns4.likethisone1.com

If you have any type of DNS black holing or content filtering capabilities I would recommend leaving these domains blocked/filtered.

All of the spam I captured in my sandnet tonight was Pharmaceutical related pointing to the online store "Pharmacy Express" which is well documented on the Spam Trackers spamwiki: Pharmacy Express Info. I captured a total of 6,581 spam messages during my run add was able to parse out the following domain names being used within the spam messages body:

• advancedcaremedical.eu (Registrar: OnlineNIC Inc)
• americanmedicalguide.eu (Registrar: OnlineNIC Inc)
• medicalhealthdeath.eu (Registrar: OnlineNIC Inc)
• medicaljobsgroup.eu (Registrar: OnlineNIC Inc)
• medicalworldinc.eu (Registrar: OnlineNIC Inc)
• medicalworldlink.eu (Registrar: OnlineNIC Inc)
• themedicalmarket.eu (Registrar: OnlineNIC Inc)
• wellnesssurgical.eu (Registrar: OnlineNIC Inc)
• womenmedicalcenter.eu (Registrar: OnlineNIC Inc)

Out of the 6,581 spam messages I captured I identified 662 unique Subject lines. You can see all of these subject lines here: Storm Spam Subjects.txt. Here are a few extracts just in case your not interested in all 662:

• Subject: Bring more fun to your xxxlife!
• Subject: Do you like wild nights?
• Subject: Dont let sickness spoil your vacation.
• Subject: Experience more pleasure from perfect intimate living.
• Subject: Get back to slim shape again.
• Subject: If good health is what you really need, then its time to visit canadian chemists.
• Subject: Leading supplier of Canadian chemists in now available for you.
• Subject: Online Canadian Chemist - we care about Your Health!
• Subject: Some helpful information on weight losing products.
• Subject: The largest network of i-chemists.
• Subject: Want to act like that Ppornstar from the movie u watched yesterday?
• Subject: quicker,safer,cheaper online chemiststore

These seem to be the standard type of subject lines we have grown accustom to in our spam folders brought to you directly by the Storm Worm authors and our online Canadian pharmacists. My full spam log can be viewed here: smtpspamlog.txt.

The "I Kill Spammers" blog has posted a rant on these subject lines and messages here: "Storm of Stupidity". To me it is a humorous read, and I have to give the blog props for linking to my good buddies over at MalwareDomainList.com. If you have not visited MalwareDomainList.com you should go give it a once over, as it has a large collection of searchable Malware Domain Names and Malware server indexes. This site isn't for everyone, but if your a Security Researcher or a Security Hobbyist there is a wealth of information available to you. Well I believe I have done enough promoting of other sites tonight, as always if you have any questions or comments feel free to contact me.

I had some spare time this afternoon, so I decided to update the web interface to my Storm Tracker Database. I hope everyone finds these changes useful, as I have include several correlated data displays in an attempt to make researching the Storm Web Proxies and Binaries I have harvested a little easier and user friendly. I personally have performed most of these queries on my dataset offline, but was to lazy in the past to create a web front end for them. In addition I have also included in these new data views embedded hyperlinks that allow you to drill down on different datasets faster.

I do have some ideas for some future enhancements such as Spam tracking, Domain Name tracking, Name Server Tracking, Web Page Tracking, and a possible peers dataset. I can't guarantee I will ever implement any of the above, but they do sound useful.

If any of you have any enhancements or data views you would like to see or think would be useful feel free to contact me with the details, as I will take them into consideration when I decide to revamp the Storm Tracker again.

After seeing the binary change to almost completely undetectable by all antivirus applications I thought it would be a good time to run it in my lab again. I must say I was not disappointed in this new run as I was able to witness some new characteristics of the Storm Worm along with some new spam messages being generated.

The first instance of spam I want to discuss is the Penny Stock being pushed by the Storm Worm right now. The company being targeted by this is MINDPIX a production and media company that has also developed some type of fitness equipment. This company seems to be a target and not a participant in these spam messages as the CEO David Ballif has released this official announcement on July 1st. As requested in his statement I have emailed them what I am aware of and wish them the best of luck in getting this issue resolved. Here are a few examples of the messages being sent out pertaining to this company:

So much. advanecment lately

Symbol: MPIX."PK
Name: Mind Pix Corp.
At tihs time: 0.02,5

T,his stock will go up, up! Don't miss your chance!

Move fast buy ,mpix

The demand is there for MPIX

Symbol traded: mpix
OTC:mpix.pk
Tuedsay close: 2..5 cents

I can not stress the timing en,ough, it is _now.

Get onboard

The next portion of the spam I captured was for the normal two Pharmaceutical companies: "Pharmacy Express" and "Canadian Pharmacy". The Storm Worm is pushing the same old discount prescription drugs we have grown use to seeing and with that here is a list of the unique domain names I parsed out of the logs that point to these two companies:

• bestphysiciangood.eu
• childrenseparate.com
• doctorbutgood.eu
• doctorfeelgoodphd.eu
• doctorgoodsite.eu
• doctorleasegood.eu
• greatmedicgood.eu
• happenhalf.com
• lottube.com
• maysection.com
• medicgooddirect.eu
• medicgoodguide.eu
• needcertain.com
• nowcarry.com
• prepaream.com
• surgeongood.eu
• thoughgrand.com
• valleyearth.com
• yellowyear.com

All of these domains are using wildcard sub domain A record resolutions, so they are able to resolve any sub domain enabling them to randomize there spam messages like this:

Best prices for licensed cures on the internet.
hxxp://vijai.bestphysiciangood.eu

Necessary chnages in your xxxlife. hxxp://euhni.doctorgoodsite.eu

The third and last portion of the spam I observed was dealing with the new "Military Theme" the Storm Authors implemented earlier today. Here are the domain names I parsed out of the spam messages pertaining to this theme:

• dailydotnews.com
• dotdailynews.com
• morenewsonline.com
• newsworldnow.com
• statenewsworld.com

The message bodies for these emails look like this:

USA occupeid Iran hxxp://dotdailynews.com/

The World War III has already begun hxxp://dotdailynews.com/

As you can see they are focusing on the rising tension between the US and Middle East as a tool to increase their success rate for infections.

I didn't split these messages up into individual files, so here is a list of all 777 unique Subject lines including all three campaigns described above: unique_subject_lines.txt. If you want to see the entire log your in luck and can download it here: spamlog.txt.

The final observation I made during this lab run was four more IP addresses being Attacked with ICMP DDoS packets. Here are the IPs that were targeted:

• 200.142.97.194 ( correio.gpnetrj.com.br )
• 216.213.5.111
• 24.147.98.16 ( c-24-147-98-16.hsd1.ma.comcast.net )
• 67.195.37.166 ( llf320044.crawl.yahoo.net )

These attacks were consistent with the ICMP echo-request attacks I observed in yesterdays lab run in that they only lasted ~30 minutes and seemed to rotate through with no particular pattern, which has drawn me to the conclusion that the Storm Worm retaliation/defensive techniques are back. So it your a researcher be careful while doing your research as you may be on the receiving end of a nasty ICMP DDoS attack before you know it.

As always if you have any questions or comments feel free to contact me.

With the conclusion of the 4th of July weekend occurring, the Authors of the Storm Worm have changed their theme as well focusing on a “Military Theme” titled “Military News”. Here is a snapshot of the current Storm Worm web page:

As you can see the Storm Worm Authors are focusing in on the recent tensions heightening in the Middle East between the US and IRAN. With IRAN threatening to burn Tel Aviv in response to any US attacks on their Nuclear facilities, and the strains caused by the constant oil prices sky rocketing this is almost the perfect theme to infect many US citizens just looking for current news. If I had to guess I would say this theme will be one of the more successful campaigns just because of timing and a well thought out design. Even the banner looks extremely well thought out and designed. I really don't see any obvious mistakes with this theme. Here is a copy of the html source code for the page:

Taking a look into the source code reveals that clicking the well designed banner the user will download the binary named: “form.exe”. If the user clicks either the fake media player image or the “on the video” hyperlink they will download the binary named: “iran_occupation.exe”. Both of these binaries are the Storm Worm trojan just waiting to turn the users computer into a spamming maniac or a web proxy host severing other unsuspecting hosts with this web page. You will also notice the standard “ind.php” iframe src inclusion will be loaded on every visit behind the scenes. This file has been included in the Storm Worm's exploiting techniques for a few months now, and is the same file containing 9 well documented exploits we have grown do accustomed to seeing still heavily obfuscated with JavaScript.

Another major issue that will be driving the Antivirus Companies insane is that there was practically no detection of these new binaries. Here are my VirusTotal Results for the 2 binaries: form.exe Result: 3/33 (9.1%) and iran_occupation.exe Result: 3/33 (9.1%).

I may follow this posting with an update once I have had a chance to analysis these new binaries and run them in my lab. More to come I am sure.

UPDATE: Here is a list of new Storm Worm Domain names I discoverd right after posting this:

• statenewsworld.com
• morenewsonline.com
• dailydotnews.com
• dotdailynews.com
• newsworldnow.com