Looks like the Storm Worm has taken up DDOS ICMP attacks again, as tonight's lab run revealed the following IP addresses being attacked:

• 118.160.208.250 (118-160-208-250.dynamic.hinet.net)
• 67.195.37.166 (llf320044.crawl.yahoo.net)
• 76.98.44.10 (c-76-98-44-10.hsd1.pa.comcast.net)
• 207.206.148.78 (gump.lashback.com)
• 61.229.224.181 (61-229-224-181.dynamic.hinet.net)
• 67.195.37.190 (llf320059.crawl.yahoo.net)
• 201.223.161.134 (134-161-223-201.adsl.terra.cl)

The interesting characteristic I observed during these attacks were that the victim IP addresses were being rotated through at 30 minute intervals. What I mean by this is I watched the Storm Worm bot try to send 30 minutes of ICMP echo-requests to the first IP on the list, then it moved on to the next IP on the list for 30 more minutes until I finally turned it off to finalize the lab run and start looking at data captured. This is the first time I have ever seen a round robin style DDOS attack being carried out. With the return of DDOS attacks by the Storm Worm I would definitely say this botnet just returned to the dangerous state and jumped back on many security professionals radar. I have read just recently several posting dismissing the danger of the Storm Worm, which I would never recommend doing.

I also captured the spam using my faux smtp server and identified the following new spam domains inside the message bodies:

• bestphysiciangood.eu
• childrenseparate.com
• doctorbutgood.eu
• doctorfeelgoodphd.eu
• doctorgoodsite.eu
• doctorleasegood.eu
• greatmedicgood.eu
• happenhalf.com
• lottube.com
• maysection.com
• medicgooddirect.eu
• medicgoodguide.eu
• needcertain.com
• nowcarry.com
• prepaream.com
• surgeongood.eu
• thoughgrand.com
• valleyearth.com
• yellowyear.com

All of these domains are the home of a pharmaceutical company named "Pharmacy Express" selling all types of prescription drugs. I covered this pharmaceutical company in my last post, so I won't bore you with the details again. Here is a list of the 584 unique subject lines in the spam emails I captured: Storm Uniq Subject Lines.

In closing here is tonight's VirusTotal results for: msserv.exe Result: 19/33 (57.58%), and here is tonights Storm Peers list extracted from the msserv.config file: Peers.txt.

As a side note I have the full pcap file for this DDOS attempt. If you happen to be investigating these attacks and your IP is listed above or you have a ligament reason to see these captures feel free to contact me. I will not distribute these to just anyone, so think before you ask.

This morning I figured I would check on the Storm Worm since it's current theme is the "Colorful Independence Day" theme and today is the day after the 4th of July. Looks like the Storm Worm web servers are still serving up the fireworks.exe binary and the image file is still the same, so no changes there.

Where I did find changes flowing was in the Storm Worm spam messages going out. It looks like the spam messages are rotating themes about every 250 to 350 messages between a pharmaceutical spam theme and new Storm Worm domain names. The new Storm Domain names I found in the spam messages are as follows:

• bellestarfireworks.com
• dayfireworkssite.com
• greatfireworkslaws.com
• thefireworksjuly.com
• wholefireworksonline.com
• worldbestfireworks.com
• yourfireworks.com
• yourfireworksstore.com

The following domains are still active as well in serving up Storm Worm binaries:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

I verified all of these domain names with some Passive DNS discovery techniques and identified a few new Storm Domain Name servers spitting out A records. Looks like there are a total of 71 active Storm Worm DNS servers answering lookup requests. Here is a full list of all 71: Storm NS Servers List.

The pharmaceutical spam site has been modified as well. It looks like they have changed their name from "Canadian Pharmaceuticals" to "Pharmacy Express". This new site appears to be very similar in appearance to the old Canadian Pharmaceuticals site. Here is a snapshot of the Pharmacy Express web page header:

The spammed domain names I grabbed during this spam run were as follows:

• fairneck.com
• girlsultry.com
• ihotair.com
• pharmacydepotonline.com
• prohotsite.com
• redhotcapital.com
• seatdistant.com
• sexyhotworld.com
• squarespell.com
• starfoxguide.com
• teahotspot.com
• theshyfo.com

These domains are also Fast Flux networks rotating 19 different A records at 120 second intervals, which makes it a little different from the standard Storm Web server Fast Flux network. The Storm Web server Fast Flux DNS servers rotate IP addresses by serving a new individual A record every 60 seconds. It is my opinion these TTL changes in A record expirations is a simplistic attempt to avoid discovery from several of the Fast Flux domain discovery scripts out there. Most of the basic Fast Flux discovery scripts look for changes in IP addresses within a 60 second interval, and the Authors of the Storm Worm Fast Flux network avoid this discovery by rotating outside this interval. If you are using these types of discovery techniques or scripts modify them to query at a longer time interval such as 360 seconds to get better results. The problem with this modification is it is pron to false positives.

The subject line and message content of these spam messages seem to be right in line with all of the other Storm spam messages of the past. The message body is just a short line of text ending with a hyperlink to either the Storm Web server domain or the Pharmacy Express website. Here is a list of the unique Subject lines I extracted from my short lab run this morning: Storm Spam Subject Lines.

The Storm Worm binary and configuration file that is loaded into the %WINDIR% has also changed names. The new binary is named "msserv.exe" and it's corresponding configuration file holding a list of p2p peers is now named "msserv.config". I ran the msserv.exe through VirusTotal, VT for msserv.exe, with the normal mid ranged results for identification of 18/33 (54.55%). I also extracted a peers list from the msserv.config file with no real change in the number of peers around me: 871 peers.txt.

Looks like the authors couldn't resist the opportunity to entice United State citizens with a "Colorful Independence Day" theme. The good news is there are only 5 of the 24 domain names I reported the other day still active. Here is a list of the current active Storm Worm domain names:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

The new "Colorful Independence Day" theme is a little different than past campaigns, as it only hosts one binary file and the ind.php exploit scripts. Usually the Storm Worm authors maintain two differently named binaries available for download through a hyperlink and by clicking an image file. This time the authors are only hosting a binary titled "fireworks.exe", which is downloaded by clicking a colorful image of a fireworks show. Here is a snapshot of the current site:

The normal ind.php file is a hidden iframe inclusion with the normal 9 exploits waiting to serve up a fresh install of the Storm Worm Trojan turning your computer into a spamming maniac. VirusTotal results shows that many of the Antivirus companies are still struggling to keep up and identify the constantly changing/morphing Storm Worm. With only ~52% (17/33) identifying the fireworks.exe binary as being malicious of which 2 of the 17 just state the file is suspicious. I wouldn't count the suspicious file signatures as a success, so in my opinion only 15/33 really identified the binary. Here is a link to the results page for VirusTotal.

With this being the evening of the beginning of my long weekend vacation I am going to cut this analysis short and leave you with a "Happy 4th of July" and be safe.

Looks like the authors of the Storm Worm are at it again with the "love theme", but this time with lots of love. I have identified 24 active Storm Worm web server domain names serving up a new storm worm binary with very little detection by the Antivirus companies according to my VirusTotal results (8/33 24% detection rate). My current list of active domain names are:

• activeware.cn
• bestlovelyric.com
• gonelovelife.com
• greatadore.com
• grupogaleria.cn
• knowholove.com
• likethisone1.com
• lollypopycandy.com
• loveisknowlege.com
• lovekingonline.com
• lovemarkonline.com
• loveoursite.com
• makeloveforever.com
• makingadore.com
• makingloveworld.com
• musiconelove.com
• nationwide2u.cn
• shelovehimtoo.com
• superlovelyric.com
• theplaylove.com
• wantcherish.com
• whoisknowlove.com
• wholovedirect.com
• wholoveguide.com

Most of these were identified through passive DNS techniques, and using my spam lab setup. Looking at the spam I captured in my lab for the newest Storm run, I was able to identify 64 unique Subject lines from 3,743 spam email messages. All 64 unique Subject lines related to the theme of love, which if I had to guess must pay high dividends for the Storm authors as they have returned to this theme over and over again. A few sample subject lines are:

• All I need is You
• Always on my mind
• Can't forget You
• Can't stay away from you
• Crazy in love
• Crazy in love with you
• Deep in my heart
• Deeply in love with you
• Dreaming 'bout you
• Everything for you

All 64 unique subject lines can be seen here: spam_subject.txt. The actual spam message contained 65 unique messages with a simple one line message containing hyperlinks to one of the 24 active Storm domains listed above. Following any of these hyperlinks leads to the newest version of the Storm Worm web server page, which maintains a Egreetings/Ecard design and the love theme, but with a twist. The web page title is:

Free I Love You Ecards, I Love You Greeting Cards, I Love You Greetings, Cards, ecards, egreetings

The twist is the Storm authors have added a flashy banner at the top of the page stating you are the 10,000 visitor and that you have won a prize. To claim the prize all you have to do is click through the fake banner advertisement. Here is a snapshot of the current Storm worm web page:

Examining the source code there are 2 unique binary names available for download: "winner.exe" and "mylove.exe". By clicking the image stating your the 10,000th visitor the winner.exe binary is downloaded. Clicking the hyperlink, "click here", the "mylove.exe" binary is downloaded. The storm worm authors are also actively maintaining a malicious script titled "ind.php" containing 9 individual exploits hidden from view with an iframe redirection and littered with heavy Javascript obfustication to evade detection and analysis.

It is my opinion that this particular version/run of the Storm Worm appears to be the largest in scale this year. I do not remember seeing this many active domain names being used in any of the past runs I have analyzed. I also noticed the Fast Flux network has modified all of the Storm Worm domain name A records TTL value to 60 seconds, instead of the normal 0 seconds. This means the Fast Flux DNS servers will rotate the A records every 60 seconds instead of after every individual query, which may be an attempt to throw off some techniques for analyzing and identifying Fast Flux domain names. Another reason I believe this is one of the largest scaled runs this year is my Storm Web server DNS tracking scripts are averaging ~3,200 unique IP addresses a day instead of last months daily average of 376 a day. Obviously this is a large increase, but it could be a misleading number, as my tracking scripts have more domain names to work with now than they have ever had in the past due to the fact there are so many active domain names right now.