Looking through my new comment spam tracker the domain fora.pl just jumps right off the page as my biggest offender, so I decided to take a deeper look into this domain and the comment spam associated with it.  Fora.pl is owned and operated by Gadu-Gadu S.A. which is based in Warsaw, Poland.  Gadu-Gadu S.A. seems to be a very legitimate company that specializes in social communication services such as chat communities, instant messages, and web radio.  Fora.pl fits right into the types of services Gadu-Gadu S.A offers, as Fora.pl is a free phpBB forum hosting site.  Fora.pl basically lets anyone host a phpBB forum on their servers for free as long as they fill out the following form:

Now Gadu-Gadu S.A. has also published a very nice set of regulations in which all forums are subject to and everyone registering a forum must comply with in order to continue operating a phpBB forum under their hosting plan.  Section 4 of these regulations outline acceptable service use which can be seen here: (Using Google Translate)

Now that we know who owns and operates flora.pl and the policies they have set for the users of this service lets look at the comment spam I am seeing for this domain.  There appears to be two spambots spewing this comment spam messages at my site: 200.63.42.81 and 200.63.42.141.  In the last 45 days 200.63.42.141 has spammed my site 322 times and 200.63.42.81 has spammed my site 229 times for a grand total of 551 times.  This may not seem like a lot, but these two IPs rank as number 2 and 3 in my spam comment tracker statistics as the most activity seen.  Doing a quick query to the cymru.com whois server shows us this:

Basically these 2 IP addresses reside on the same class C subnet and obviously share the same BGP information.  Doing a whois on both IPs gives us the following:

• owner:       Panamaserver.com
• ownerid:     PA-PANA3-LACNIC
• country:     PA
• inetrev:     200.63.42/24
• nserver:     NS1.PANAMASERVER.COM
• nsstat:      20080927 AA
• nslastaa:    20080927
• created:     20080328
• changed:     20080328
• person:      Network O. Center
• e-mail:      ABUSE@PANAMASERVER.COM
• address:     El cangrejo, 49,
• address:     0000 – Panama – PA
• country:     PA
• phone:       +507  2633723 []
• created:     20071004
• changed:     20071027

Panamaserver.com is a shared web hosting and dedicated server rental company which allows anyone to register a domain name and mask their personal contact information for privacy reasons with their contact information.  I do not think at this time that the owners of Panamaserver.com are the actual culprits behind these spambots, and it is more likely the case the culprits took advantage of this privacy masking procedure to hide their identities from researchers like me.

Doing a little Google research on these two IP addresses (200.63.42.81 and 200.63.42.141) provided me with some interesting findings.  The entire class C subnet is in the Spamhaus Block List (SBL): SBL68225 and according to the Spamhaus report this class C subnet has been associated with Russian malware and criminal hosting.  The specific IP address in this subnet Spamhaus based their report on was 200.63.42.97 (spamhostnew.com), so the spamming activity I seen on my site from this subnet seems to be nothing new and just more of the same.  Project Honey Pot has also seen some activity from these 2 IP addresses: 200.63.42.81 Report and 200.63.42.141 Report.  The interesting thing about the Project Honey Pot reports is that they saw the same domain flora.pl being spammed in the comment messages and urls from these 2 spambots.  Last but not least Stop Forum Spam had seen activity from these two spambot IPs as well: 200.63.42.81 Report and 200.63.42.141 Report.  The Stop Forum Spam reports were interesting as both of these IPs seem to have started spamming around the middle of August, but these two IPs didn’t seem to be as actitive on sites being monitored by Stop Forum Spam as they are for my site.  I am not sure why these spambots are not as active on Stop Forum Spam monitored sites, but since the goal of Stop Forum Spam is to block these spambots I would assume most of the sites monitoring have implemented blocks for these two spambots.

Now to take a look at the actual spam being spewed out of these to spambots.  There are 9,659 unique subdomains in my comment spam database for the fora.pl domain, which was almost shocking to me when I saw the query results.  A full list of these subdomains can be seen here: fora.pl subdomains, note if your from fora.pl this would be a good place to start cleaning stuff up.  The last messages posted by these spambots while I was writing this post were:

200.63.42.141:

Charpentier brought our bath <a href=hxxp://methamphetamineurufc.fora.pl/>methamphetamine</a> skull and <a href=hxxp://yasminmkanj.fora.pl/>yasmin</a> made their <a href=hxxp://miacalcinpybff.fora.pl/>miacalcin</a> peacocks. King once pressed caviar <a href=hxxp://adderallxqspk.fora.pl/>adderall</a> bowing and <a href=hxxp://ataraxmujtf.fora.pl/>atarax</a> containing the <a href=hxxp://relenzacahru.fora.pl/>relenza</a> coachman. Coupling the perfect order <a href=hxxp://valporicanemm.fora.pl/>valporic</a> third squatted <a href=hxxp://pepcidrreuc.fora.pl/>pepcid</a> smoothly. Before the aturedness and <a href=hxxp://phendimetrazinemcukk.fora.pl/>phendimetrazine</a> oland had <a href=hxxp://tiazacdnmsm.fora.pl/>tiazac</a> trivet. Woland nodded hoarse cry <a href=hxxp://famvirtxoxl.fora.pl/>famvir</a> the thunder <a href=hxxp://miralaxejxer.fora.pl/>miralax</a> glance over <a href=hxxp://loratadinewlpfr.fora.pl/>loratadine</a> quaintance. King relied was entitled <a href=hxxp://clomidnfgpe.fora.pl/>clomid</a> began riding <a href=hxxp://amphetaminemldun.fora.pl/>amphetamine</a> inevitable.

200.63.42.81

Tell your leg remained <a href=hxxp://comeoutrollnhldk.fora.pl/>come out roll</a> their bridles <a href=hxxp://doublehandpokerrxgek.fora.pl/>double hand poker</a> private apartments <a href=hxxp://hornbetqnwwk.fora.pl/>horn bet</a> scattered. Professor signalled glittered and <a href=hxxp://cornerbetwmpgq.fora.pl/>corner bet</a> and alpinism <a href=hxxp://comeoutrolldubvq.fora.pl/>come out roll</a> amala. Woland went off with <a href=hxxp://fastwayapmaq.fora.pl/>fast way</a> heldybin done <a href=hxxp://casinolxrmq.fora.pl/>casino</a> ounterfeit money <a href=hxxp://yablondydjq.fora.pl/>yablon</a> blank. Dear old not forgotten <a href=hxxp://jackpotgncec.fora.pl/>jackpot</a> taggering and <a href=hxxp://wildcardlxvfc.fora.pl/>wild card</a> bleeding profusely <a href=hxxp://redorblackxoouc.fora.pl/>red or black</a> successful. Professor watched strap that <a href=hxxp://wildcardfxzxc.fora.pl/>wild card</a> visible hesitation <a href=hxxp://handrankntluz.fora.pl/>hand rank</a> shall sit <a href=hxxp://fiveofakindxdwoz.fora.pl/>five of a kind</a> path. Catholic priest there emerged <a href=hxxp://passlineiseqi.fora.pl/>pass line</a> narrowing his <a href=hxxp://bonusgamexjeyi.fora.pl/>bonus game</a> way had <a href=hxxp://baccaratskrli.fora.pl/>baccarat</a> goo. Duke smuggled until she <a href=hxxp://gamblinghfjxi.fora.pl/>gambling</a> procurator went <a href=hxxp://payouttablerbkpl.fora.pl/>payout table</a> erkoz. English attendants and aspiration <a href=hxxp://diceawyba.fora.pl/>dice</a> its pointed <a href=hxxp://pontoonkhmva.fora.pl/>pontoon</a> clarations. Just frizzle ary things <a href=hxxp://rideonpokerfkdva.fora.pl/>ride on poker</a> lamp into <a href=hxxp://fastwayolvma.fora.pl/>fast way</a> left disappoint <a href=hxxp://piratestreasuretusga.fora.pl/>pirate\\’s treasure</a> trembled. Mina wants and drew <a href=hxxp://trueoddsyqqxa.fora.pl/>true odds</a> they killed <a href=hxxp://jackpotzruqa.fora.pl/>jackpot</a> uthorities. Margarita came most cases <a href=hxxp://trueoddsbxcja.fora.pl/>true odds</a> giving both <a href=hxxp://cornerstreettkgpa.fora.pl/>corner street</a> worsened. Artful nothing yet there <a href=hxxp://threeofakindlwnsa.fora.pl/>three of a kind</a> same indifferen <a href=hxxp://4perlineqigda.fora.pl/>4 per line</a> cerned. Gardiner read the object <a href=hxxp://cornerbetcuica.fora.pl/>corner bet</a> his circumstan <a href=hxxp://hopebetzhude.fora.pl/>hope bet</a> screamed. Nikolaevna answered sitting alone <a href=hxxp://bonussymbolykwte.fora.pl/>bonus symbol</a> begged passionate <a href=hxxp://egmjygbe.fora.pl/>egm</a> nanta. Nobles like oroviev stood <a href=hxxp://backhandzrbme.fora.pl/>back hand</a> start and <a href=hxxp://bigeightcqgqe.fora.pl/>big eight</a> gruel. King that flitted before <a href=hxxp://bonussymbolgioie.fora.pl/>bonus symbol</a> wheeling along <a href=hxxp://hornbetyhxme.fora.pl/>horn bet</a> tormentor. Professor nodded want you <a href=hxxp://placebetjfvww.fora.pl/>place bet</a> former tribune <a href=hxxp://backhandpsdax.fora.pl/>back hand</a> pluttering with touch.

As you can see these messages seem almost cryptic and make absolutely no sense, so I decided to take a look at a link embedded in on of these messages.  The link I followed was “hxxp://egmjygbe.fora.pl/” which lead to a phpBB forum titled: “what does EGM proxy stand for: download september 2007 EGM magazine” and the forum post wasn’t as cryptic as the message spam, but it definitely didn’t flow.  Here is the first few sentences:

Children would presumably be immunized against cocaine dependence at the request of their egm lair parents. New approaches egm halo 3 screenshots to influenza chemotherapy. Therefore, optimal surveillance at this point is essential for successful containment. Note: halo 3 egm august scans bold page numbers denote material in figures, tables and boxes. Kong, despite easy exchange of family members between the two areas, egm free subscriptions does suggest, fortunately, a virus with halo 3 august egm a low infectiousness.

So what would a spambot that is so active be hiding in these forums, well nothing more than some obfusticated JavaScript.  Here is a copy of the original obfusticated JavaScript I extracted from the phpBB web forum page: obfusticated_js.  Using SpiderMonkey I was able to deobfusticate the script to this: deobfusticated_js.  As you can see from the deobfuscated JavaScript output this is just a really complex way to redirect you to “hxxp://bestcasinogroup.com/search.php?q=egm+key”.  The +key part is just used to modify your search results to display different links.  So who is bestcasinogroup.com?  Here is some information from a whois query:

Domain Name: BESTCASINOGROUP.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: VC11.AMHOST.NET
Name Server: VC12.AMHOST.NET
Status: clientTransferProhibited
Updated Date: 22-sep-2008
Creation Date: 14-apr-2008
Expiration Date: 14-apr-2010

Administrative Contact:
Protect Details, Inc
Domain Manager (privatecontact@protectdetails.com)
29 Kompozitorov st.
Saint Petersburg
,194358
RU
Tel. +7.8129342271

These whois results share the theme of other ESTDOMAINS malware/crimeware domain names in that they are using the privacy protection option offered by protectdetails.com at ESTDOMAINS.  If you have been following the discussions and/or actions between ESTDOMAINS and several malware analysts these last few weeks this theme should be very familiar.  Now bestcasinogroup.com is only a redirect and is not the stopping point of the obfusticated JavaScript code.  Bestcasinogroup.com redirects to usacasinoworld.net which is hosted on the same IP 72.232.116.51.  Performing a whois lookup against usacasinoworld.net provided the following information:

Domain Name: USACASINOWORLD.NET
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: VC11.AMHOST.NET
Name Server: VC12.AMHOST.NET
Status: ok
Updated Date: 22-sep-2008
Creation Date: 13-jun-2008
Expiration Date: 13-jun-2009

Administrative Contact:
N/A
Naumenko Genadiy Vladimirovich (msndrugs@mail.ru)
Kolomoysko 56
Kiev
Kiev,03056
UA
Tel. +380.0976576665

This time the domain registration information wasn’t protected, but I doubt very seriously if msndrugs@mail.ru is a legitimate email address with a anxious domain administrator waiting to shut this all down.  The usacasinoworld.net is the last stop for the obfusticated JavaScript redirection, but this isn’t the end of the oddness associated with this spam.  A screen shot of the usacasinoworld.net ending point can be seen here:

All of the links shown in this screen shot are redirects/click through tracking.  Here is an example link string from the above screen shot:

hxxp://66.230.188.67/click.php?c=eNodkcuSqjAYhB/IKvxzAZLFLBSVUTioiCBsThESREe8Ag5WHv5Qp3vTveqq/k6amIRppP9sv740NTijSNsGQhoDMASIwiBEtawvVUZWlbYFKkyTEMntHAOmJTcBC8Us2+SCY/VXElyWpWKMgm2CYGUu0ZAsJXNkE1JohIc9FdyazwV1x/NkUqlFSXucNq97+jr1PS0E3T9ue2kHEz/23Bs44fvByh5+16SNik2a7Onl+/CEvq4b97fxkkXYts/o1Ky78eh5z9D2M7rfu62TMT8bnWd8lMyd/nR9KdmG9aQYf7r29rK68/Tmsd003zSk9HrlFpHjtJ8qWiX51o/dyTTGo+OyBxa5mYrbd9sE4WKWrcVquUmvh2fu1TIsl08qf46wFoF/zqvlyeEsv4M8v8nb8qQX1qW/+wYaPjxVuNBcgvFi5qYb/8rnd963fhooRB2rGNv1eE7Y9LgNNrv3wGP4y0CWgbBBLA3axgYmeIBjGSYMXWMtiST+JUDiuqJREv8UvXkWGDoN/62JloegSvHikydmJzHvhbttRR2DZsrGTEhqc0kAZKHA4hYijOZCcVXCP+dPqm8=

The IP 66.230.188.67 is the same in every search redirect I checked.  Another interesting observation I had was that the IP 66.230.188.67 was running nginx/0.5.37 server, which is a light weight HTTP server that is sometimes used by crimeware and malware authors to act as a proxy.  Again with a whois lookup I found:

OrgName:    ISPrime, Inc.
OrgID:      IPRM
Address:    300 Boulevard East
Address:    Suite 100
City:       Weehawken
StateProv:  NJ
PostalCode: 07086-6702
Country:    US

Now ISPrime, Inc. has had it’s fair share of issues in the past, so again I was not surprised by these results either.  What I am surprised about is the final results of this crazy maze that started with two spambots posting spam to my blog that lead to a free phpBB forum hosted at fora.pl.  This phpBB forum hosted some obfusticated JavaScript that redirected me to bestcasinogroup.com which then again redirected me to usacasinoworld.net.  At usacasinoworld.net we found that all links from this generic search engine were directed through a nginx server (66.230.188.67) most likely serving as a pay-per-click redirection server based off some off the web sites I ended up on by clicking the links presented to me.  All of this craziness to earn a few cents with pay-per-click redirection.  Obviously these guys are good at it and I am sure this won’t be the last time I run into them on the internet chasing spam.

Just as a general note I have sent emails off to all of the POCs for these domains and IPs in an attempt to get this shutdown, but I doubt anything will happen quickly.  With that being said I would suggest taking the above information and adding it to you content filters, proxies, and/or firewalls to prevent this stuff from entering your network.  As always if you have any questions or comments regarding this post feel free to contact me anytime.

In the last few weeks I have received several requests for information regarding the Storm Worm.  So today I thought I would perform an analysis in my lab on the last Storm Binary (postcard.exe) I retrieved using my Storm Binary Tracking scripts dated “2008-09-18 18:42:28″ just to see if I could possibly find the answers to some of the questions many of you have asked.  To be perfectly honest and clear I have not seen any spam, DDOS attacks, or Fast Flux domain activity related to the Storm Worm since mid September, so I too am curious as to what has happened to this menace.

During execution of the postcard.exe binary a binary named neos.exe was installed into the “%WINDIR%” accompanied by it’s normal p2p peer configuration file named crock+mock.config.  Immediately following the installation of this new binary the neos.exe process was started, and I was greeted by the normal Storm Worm network traffic to include the p2p udp traffic.  This p2p udp traffic demonstrates how resilient the Storm Worm Trojan really is in that I haven’t seen a new binary in almost a month and yet I was communicating with a few hundred Storm Worm infected hosts.  Being curious to how many peers were listed in the crock+mock.config file I ran my perl decode script used to extract peers from the configuration file which extracted a total of 848 IPs.  The entire peer list can be seen here: peers.txt.  I also submitted the IPs to the whois.cymru.com server to get ASN and country data which can be seen here: peers_asn.txt.  As you can see from the peer files almost half of the hosts reside in the US, 348 to be exact, and that most of the hosts reside on large residential ISP network segments.  So far these stats line right up with everything we have seen associated with the Storm Worm characteristics in the past, which to me is odd since there hasn’t been a new Storm Worm campaign in over a month.

Since it was more of the same for the Storm Worm network configuration statistics I thought I would also check my Storm p2p decryption script to see if the Overnet protocol was still being encrypted with the same xor key.  Sure enough my script decoded the udp p2p traffic and nothing was new here either as I still saw the same old Overnet/eDonkey commands being issued such as Publicize, Publicize ACK, Connect, Connect Reply, IP Query, IP Query Answer, Identify, Identify Reply, Search Info, and Search End.  Since the crock+mock.config script provided me with 848 IPs of peers I decided to see just how many Overnet peers I was actually communicating with during my lab run.  Here is a list of all 1,441 peers that sent me some type of Overnet traffic: overnet_peers.txt and here is the results of my bulk submission to the cymru.com whois server: overnet_peers_asn.txt.  As you can see the US lead the way once again with 353 infected hosts, and RU trailing right behind with 114 infected hosts.

The next thing I noticed in the network traffic was DNS queries for the domain name policy-studies.cn, which is where an old root kit was stored in a past campaign.  This domain name has long been shut down, so I decided to run a faux DNS server script to give my infected lab machine an A record to see what would happen.  After reconfiguring my infected host to perform DNS lookups using my faux DNS server the neos.exe process started requesting a file named getbackup.php. The getbackup.php file was the same rootkit file request seen over a month ago, so I assume this DNS request and file retrieval is hard coded in the neos.exe binary and is not something that was passed to it in a parameter via the Storm p2p network or the TCP control network.

Taking a look at the TCP traffic is where things really got interesting.  Several of the TCP servers were answering my requests with the following reply: “Go away, we’re not home”.  This to me was just plain hilarious and demonstrated to me even in an inactive period for the Storm Worm the authors have one hell of a sense of humor.  Here is a list of all the Storm TCP servers that responded with this intriguing message: goaway_ip.txt and it’s corresponding bulk result from the cymru.com whois data: goaway_ip_asn.txt.  Interesting enough all 18 of these servers were located in two countries the US and Mexico.  I am not sure how relevant or important this is or if it was just a coincidence.  Not all of the TCP servers communicating with my lab box provided this message.  The servers that did not reply with this message simply sent reset packets and stopped the TCP handshake, so these could be patched boxes or cleaned boxes leading me to believe my TCP requests were based off old data residing in the Storm Network and/or Binary.  In an attempt to perform fair analysis here is the list of 50 servers that did not respond with the “Go away” message: tcp_storm_noaway.txt and it’s corresponding cymru.com whois data: tcp_storm_noaway_asn.txt.  These servers are definitely more geographically dispersed over a wide range of countries and ASNs.

So what does all this mean for the Storm Worm?  Well, I am not really sure and can only make guesses as to why we haven’t seen another Storm campaign recently.  My first guess would be that with all the recent data being published on the Storm Worm encryption mechanisms and it’s Double Fast Flux architecture, especially the Black Hat presentation by Joe Stewart in Vegas which may I say was very insightful, that the Storm Authors are making some major changes and have put everything else on hold until these changes can be rolled out into production.  My second guess would be the heat from law enforcement sent them into hiding or laying low for a while.  This second guess could also be combined with the first guess and the authors could be reworking their architecture to get the heat off of them.  My final guess would be the Authors of the Storm Worm made enough money off the surge of campaigns we saw at the beginning of the summer that they really are not home and are off taking a vacation.  Most likely enjoying the spending of all that cold hard cash they earned off the Canadian Pharmaceutical spam, Penny Stock manipulation, and phishing scams we grew so accustomed to seeing.  My final conclusion is that the Storm Worm is currently dead/inactive, but I would not be surprised at all if we saw a new and improved Storm Worm in the coming months.  I think the question isn’t is Storm dead, but more like when will we see it return and what new features or tactics will it have in store for us.

As always if you have any questions or comments feel free to contact me or leave a comment, as they are always welcome and appreciated.