View Full Version : Another "Storm" Wave ...

2007-07-01, 01:51
Follow up post/thread from http://forums.spybot.info/showthread.php?p=99490#post99490 ...

- http://isc.sans.org/diary.html?storyid=3063
Last Updated: 2007-06-28 23:33:56 UTC...

- http://preview.tinyurl.com/2g58ud
June 28, 2007 (Computerworld)...

- http://www.us-cert.gov/current/#new_storm_worm_variant_spreads
June 29, 2007


- http://asert.arbornetworks.com/2007/06/you-got-postcard-malware/
June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."

(*Diagram shown at the URL above.)


2007-07-02, 17:51

Other subject lines used with this message include the following:

You've received a greeting card from a school-mate!
You've received a greeting ecard from a class mate!
You've received a greeting ecard from a neighbour!
You've received a greeting postcard from a partner!
You've received a greeting postcard from a worshipper!
You've received a postcard from a family member!
You've received a postcard from a neighbour!
You've received a postcard from a worshipper!
You've received an ecard from a colleague! ..."

- http://www.snopes.com/computer/virus/postcard.asp
Last updated: 1 July 2007


2007-07-03, 21:58

Storm worm with 4th of July subject lines
- http://isc.sans.org/diary.html?storyid=3090
Last Updated: 2007-07-03 19:48:30 UTC ...(Version: 2) ~ "We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far...

Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th ."


2007-07-04, 17:43

- http://www.f-secure.com/weblog/archives/archive-072007.html#00001224
July 4, 2007 ~ "...Using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link... They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them... What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded..."

(Screenshots available at the URL above.)


2007-07-09, 13:09

The ever morphing Storm
- http://isc.sans.org/diary.html?storyid=3117
Last Updated: 2007-07-09 03:01:00 UTC - "Readers has been reporting emails with subjects such as:
* Spyware Detected!
* Malware Alert!
* Virus Detected!
The Storm virus from the last week or so (greeting cards) has morphed into this new version. Nothing new, the texts has changed somewhat and the subject line is different. By en large it is still the same attempt to get people to download an exe file. Auscert* has put out an alert on this as there have been an increase of these messages in the region.
As per usual discourage users from blindly clicking links in emails. Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home. Blocking downloads of exe files is also a good start..."

* http://www.auscert.org.au/render.html?it=7813


2007-07-09, 15:27

Fake alert emails
- http://www.f-secure.com/weblog/archives/archive-072007.html#00001226
July 9, 2007 - "The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious. Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as Packed.Win32.Tibs.ab."
(Screenshot available at the URL above.)

New fake patch malicious code run
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=786
July 09, 2007


2007-07-25, 22:56

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200849
July 24, 2007 - "The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they've seen in two years. "We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level." Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails -- 99% of them associated with the Storm worm..."
> http://www.postini.com/stats/


2007-07-27, 10:45

- http://www.f-secure.com/weblog/archives/archive-072007.html#00001236
July 27, 2007 - "On Wednesday* we blogged about major seeding of Trojan-Downloader.Win32.Agent.brk. This is now happening again... This time the e-mail attachment is named as bsaver.zip. E-mail subjects have also been revised. Below is a list of some examples we have witnessed so far:
Sunrise in your life
Life will be better
Good summer
Do it for pleasure
Life is good
Wanna be slim?
Good summer, dude
Two Telephone Calls And An Air
Be like me!
To be slim
Paradice in bed
The file is currently detected as Trojan-Downloader:W32/Agent.EXJ ..."

* http://www.f-secure.com/weblog/archives/archive-072007.html#00001234

(Screenshots available at the URL's above.)


2007-08-03, 14:57

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202711
Aug 2, 2007 - "As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it. Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm... Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million..."


2007-08-08, 05:23
Thanks for the invaluable info, Jack :cool:


2007-08-10, 14:22

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201311245
Aug. 9, 2007 - "...Researchers at SecureWorks discovered late Wednesday that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages... Jackson said he spotted two malicious Web sites that have the Storm attack malware embedded in them. One site was set up specifically for malicious purposes, while the second is a legitimate site that attackers hacked into and infected. The legitimate site is a community forum for fans of Apple's Mac computers. Oddly enough, the malware doesn't affect the Mac - only Microsoft's Windows platform, and specifically the Internet Explorer browser..."


2007-08-14, 21:01

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=792
August 14, 2007 - "...new Storm Trojan tactics being used within emails. The new emails are using the Subject: "Greeting Card Victim" and contain the following:
> Email Body:
Class-mate(enter name) has created Greeting card for you victim at christianet.com. To see your custom Greeting card, simply click on the following link: http:// <stripped>
Send a FREE greeting card from christianet.com whenever you want by visiting us at: This service is provided and hosted by christianet.com.
> End of Email Body
Just like previous attacks, the URLs point to a compromised machine that is hosting the BOT -and- an HTTP proxy. The same exploit code attempts to run the file without user intervention; however, the file name has changed to msdataaccess.exe..."


2007-08-18, 19:37

- http://www.f-secure.com/weblog/archives/archive-082007.html#00001253
August 18, 2007 - "Last Wednesday we blogged* about the changing tactics being used by the Zhelatin / Storm Worm gang and their "eCard for you" -themed malware spam. The tactics are changing again. The malicious websites haven't changed; they still spread malicious msdataaccess.exe files. However, the emails no longer talk about ecards..."

* http://www.f-secure.com/weblog/archives/archive-082007.html#00001249

(Screenshots available at both URLs above.)


2007-08-21, 14:10

New filename for Storm Trojan/Bot
- http://www.websense.com/securitylabs/blog/blog.php?BlogID=140
Aug 20 2007 - "The Storm Trojan / Bot continues to spread like wildfire. The latest version has a variety of subjects and email bodies but now uses the filename applet.exe.
> Email copy sample:
Here is your membership info for Downloader Heaven.
Member Number: 2259948423
Temorary Login: user6278
Temp Password ID: gr272
Please Change your login and change your Login Information.
Follow this link, or paste it in your browser: http: //...
Technical Services
Downloader Heaven..."

- http://isc.sans.org/diary.html?storyid=3298
Last Updated: 2007-08-21 ...(Version: 3) - "Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
> Subject: Login Information
'Dear Member,
Are you ready to have fun at CoolPics.
Account Number: 73422529174753
Your Temp. Login ID: user3559
Temorary Password: jz438
Please Change your login and change your Login Information.
This link will allow you to securely change your login info: http: //...
Thank You,
New Member Technical Support
I have seen about a dozen different ones so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download. In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links). My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)..."


2007-08-25, 23:41

Malicious Website/Code: Storm adds YouTube lures
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=799
August 25, 2007 - "The Storm Trojan / Bot continues to spread and is now using a YouTube video to lure users. The latest version has a variety of subjects and email bodies but now uses the filename video.exe.
Email subject example: Sheesh man what are you thinkin.
Upon connecting to the URL, which is referenced as a YouTube link but is actually a Storm IP, the same exploit code used in past attacks attempts to run. As in the past if users are not vulnerable they will get a page displayed that requests they run the code manually..."

(Screenshot available at the URL above.)

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=141
"...Conclusion: The Storm attack is something we can expect more of in the future. It is an organized, sophisticated, well planned out and resilient attack that has infected millions of machines around the world. The techniques use a combination of attack vectors including; DNS, Web, P2P, encryption, and several evasion techniques. This not only highlights the need for deploying sophisticated counter measures to mitigate your companies risks, but also shows the need for more collaborative efforts across borders with law enforcement, ISP’s, and other folks moving forward."

Also see: http://isc.sans.org/diary.html?storyid=3321
Last Updated: 2007-08-25 21:00:55 UTC ...(Version: 2)


2007-08-30, 15:35

- http://www.theregister.com/2007/08/29/storm_hits_blogger/
29 August 2007 - "...By now, anyone who doesn't live under a rock is familiar with the spam messages bearing subjects such as "Dude what if your wife finds this" and "Sheesh man what are you thinkin" and including a link to a supposed YouTube video. Recipients foolish enough to click on the link are taken to an infected computer that tries to make their machine part of a botnet. Now Storm Worm, the malware responsible for those messages, has overrun Google-owned Blogger. According to one search, some 424 Blogger sites have been infected..."


2007-08-31, 17:01

More Peacomm Tactic Changes
- http://atlas.arbor.net/briefs/index#-24164615
Severity: Elevated Severity
Published: Thursday, August 30, 2007 10:36
"This week has seen additional Peacomm malware lure changes. Emails have now been appearing that encourage users to view YouTube videos, download beta software, and to try out new software. All of these are methods that the Peacomm authors are using to attract new victims. At last count we have seen some estimates between 1 million and 10 million or more infected computers. This is a staggering number of infected machines and we are working with others to combat this problem.
Analysis: We have been monitoring the changes in the lure tactics of the Peacomm worm, and have seen them change more frequently as of late. We are not certain what the next change will be, but we anticipate it will happen soon."


2007-09-06, 22:11

- http://www.f-secure.com/weblog/archives/archive-092007.html#00001272
September 6, 2007 - "A new round of storm worm attacks are playing on people's paranoia against being watched online. This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake... Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL. Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet."

(Screenshot available at the URL above.)


2007-09-09, 14:47

Stormworm Tactics Change to Football Fungus
- http://www.disog.org/
September 08, 2007 - "...Starting about 13:50 GMT ...noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:
2007-09-08 13:49 (GMT):
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT):
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT):
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT):
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT):
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT):
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT):
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT):
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT):
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT):
2007-09-08 15:44 (GMT) - NOW:
Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering... Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages."

(Screenshot available at the URL above.)

Per: http://isc.sans.org/diary.html?storyid=3361

Also: http://www.f-secure.com/weblog/archives/archive-092007.html#00001273
September 9, 2007 - "...To become infected you have to click on one of the links or on the picture (they all point to the same file – tracker.exe) and run the file. Still, this can change at any moment so don't click on any links you receive in these e-mails."

(More screenshots available at the the F-secure URL above.)


2007-09-16, 17:10

- http://www.f-secure.com/weblog/archives/archive-092007.html#00001277
September 16, 2007 - "The latest tactic from Storm Worm: e-mails with links to a fake gaming site... All the links from these pages point to ArcadeWorld.exe – detected by us now as Zhelatin.JP."

(Screenshot available at the URL above.)


2007-09-24, 12:51

More cards...
- http://www.f-secure.com/weblog/archives/archive-092007.html#00001280
September 24, 2007 - "There are a high number of reports for Trojan-Downloader.Win32.Banload.DRS today... This time the bad guys have once again returned to the (e-mail) attachment name of card.exe... The subject lines are recycled as well:
Hot pictures
Hot game
Here is it
You ask me about this game, Here is it
Something hot ..."

(Table shown at the URL above.)


2007-09-25, 20:39

- http://asert.arbornetworks.com/2007/09/todays-radar/
September 21, 2007 - "...Storm Worm numbers after reading Storm Drain*, from the Microsoft Anti-Malware Engineering Team blog. Several people, myself included, had put size estimates in the millions of hosts. Microsoft’s numbers suggest far, far fewer, on the order of hundreds of thousands. People tell me they have seen a decrease in the number of DDoS attacks from Storm, and also I have seen a slowing of the email lures in the past week and a half. It looks like the MSRT is having an effect. Some people estimate half, some about 25%, but overall a real decrease..."
* http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx


2007-09-28, 21:21

Stormy Skies
- http://asert.arbornetworks.com/2007/09/stormy-skies/
September 27th, 2007 - "A couple of third-party reports on the Storm Worm (aka Peacomm, aka Nuwar, aka Tibs, aka Zheltin, aka CME-711).
1. The first is a detailed binary analysis of the malcode involved in the Storm Worm from Frank Boldewin. This is one of the only such analysis made public that I have seen; everyone else has theirs privately kept:
'It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.'
(From: http://www.reconstructer.org/papers/Peacomm.C%20-%20Cracking%20the%20nutshell.zip
[ZIP], by Frank Boldewin.)
2. Second up is a great timeline of the Storm Worm lures, specifically the ones to lure you to the website and get infected via malicious HTML (it the setSlice() vuln). Unfortunately it does not cover the spammed EXEs that appeared in the Winter of 2007, it just covers the “e-card” and beyond timeframe. It also doesn’t cover any changes in the website HTML or exploits. Still, this is the first such compendium of this data I’ve seen shared publicly. I made a smaller one on a private list one night, but without so much data or detail.
3. A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider “NFL” spam to be one instance of the Storm attack, and “ArcadeWorld” another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology."
(From: http://www.websense.com/securitylabs/blog/blog.php?BlogID=147 Websense Security Lab blog)


2007-10-10, 15:49

YouTube feature exploited to send spam
- http://www.sophos.com/pressoffice/news/articles/2007/10/youtube-spam.html
5 October 2007 - "...Spam emails seen by Sophos claim to come from the email address service @ youtube .com, and attempt to lure users into visiting dating websites or offering prizes of the recently released Halo 3 arcade game for the XBOX 360 console. By putting their spam message in the 'comments' section of the 'invite-a-friend' facility on YouTube, hackers have been able to hijack the website for the purposes of sending unsolicited email..."

- http://www.news.com/2102-7349_3-6212674.html?tag=st.util.print
Oct 10, 2007 - "...Spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account. The scam on Google's video-sharing site is targeting Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm trojan..."


2007-10-10, 17:57
Thanks, Jack - most informative!


2007-10-12, 14:00

Malicious Website/Code: New Storm tactic: Kitty Greeting Card
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=807
October 11, 2007 - "Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks... This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe ." This file contains the Storm payload code..."

(Screenshot available at the URL above.)

- http://www.f-secure.com/weblog/archives/00001291.html
October 12, 2007


2007-10-16, 13:46

The Changing Storm
- http://www.secureworks.com/research/blog/index.php/2007/10/15/the-changing-storm/
October 15, 2007 by Joe Stewart - "The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that’s the case, we might see a lot more of Storm in the future. The good news is, since we can now distinguish this new Storm traffic from “legitimate” (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!). Matt Jonkman over at Bleedingthreats.net has written some signatures* to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occuring over a certain threshold. Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.*"

* http://www.bleedingthreats.net/index.php/2007/10/15/encrypted-storm-traffic/


2007-10-17, 21:07

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=808
October 17, 2007 - "Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see ( http://www.websense.com/securitylabs/blog/blog.php?BlogID=141 ).
This site poses as a new piece of software called "Krackin v1.2" and advertises:
* Easy to install
* Auto-Virus scanning
* Mobile Source Downloading
* IP Blocking to Prevent Tracking
* Unwanted User Blocking
Users with unpatched computers are automatically exploited. Users with patched computers are prompted to download and run a file called "kracking.exe" This file contains the Storm payload code..."

(Screenshot available at the URL above.)

More references - same stuff:
- http://www.disog.org/2007/10/lets-get-this-party-krakin.html

- http://www.f-secure.com/weblog/archives/00001296.html
October 17, 2007 - "...a mere visit to the site using an unpatched system will trigger an exploit to automatically download and execute a malicious file. Patched systems are protected but only if the users do not choose to download the file (with filename krackin.exe) and execute it themselves. The webpage is detected as Trojan-Downloader.JS.Agent.KD while the file is detected as Email-Worm.Win32.Zhelatin.KE. This is one network you wouldn't want to join, so make sure to keep your databases updated."


2007-10-25, 12:43

- http://www.networkworld.com/news/2007/102407-storm-worm-security.html
10/24/07 - "...Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days... As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm’s botnet..."

> http://www.theregister.com/2007/10/25/storm_worm_backlash/


2007-10-31, 11:29

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=814
October 30, 2007 - "Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email:

Example Subject: Nothing is funnier this Halloween

Example Body:
Come watch the little skeleton dance.
http : // <URL Removed> /..."

(Screenshot available at the URL above.)


2007-10-31, 19:31

Warezov Domains on All Hallows Eve
- http://www.f-secure.com/weblog/archives/00001306.html
October 31, 2007 - "Storm seems to have seized the Warezov gang's mojo. They just don't make as much noise as they once did... Using his "patented" data mining techniques, Toni turned up 2039 domains connected to the Warezov gang as of 12:00 today. Of those, 810 domains resolved as a fast flux*. 1229 do not currently resolve. They're dead. (Or are they undead?) These domains are used for both malware downloads and for pushing spam. The next step is to get them taken down. No small task that.

Download the Lists:
Domains — 2039 ( http://www.f-secure.com/weblog/archives/Warezov_Domains.txt )
Fast Fluxes — 810 ( http://www.f-secure.com/weblog/archives/Warezov_Domains_Online.txt )
Undead — 1229 ( http://www.f-secure.com/weblog/archives/Warezov_Domains_Offline.txt ) ..."

* http://en.wikipedia.org/wiki/Fast_flux


2007-11-02, 08:36

Storm Worm Changes Course
- http://preview.tinyurl.com/2mvsqs
November 1, 2007 - (Symantec Security Response Weblog) - "The authors of the Storm worm (also know as Trojan.Peacomm) have shown an uncanny knack of changing or shedding key components of the threat in order to enhance its persistence and spread. This week saw the latest incarnation of the threat, Trojan.Peacomm.D, reveal itself as halloween.exe or sony.exe. What is most interesting about this latest variant of the Storm worm is that its authors have removed some key functionality that was present in the previous variant, Trojan.Peacomm.C. Specifically, the threat no longer;
1. infects other legitimate drivers on the system. Previous variants infected drivers such as Tcpip.sys and Kbdclass.sys. This was a stealth-like feature used by the threat to start early with the operating system and without loading points in the Windows Registry.
2. injects itself into legitimate processes like Explorer.exe and Services.exe.
Instead the threat now relies less on legitimate components on the operating system and has new proprietary components to do its dirty work. The driver associated with the latest variant, noskrnl.sys, works hand in hand with the user mode noskrnl.exe to provide the same stealth-like capabilities that involved more components, both illegitimate and legitimate, in the past... In terms of the latest variant, both holloween.exe and sony.exe are detected as Trojan.Packed.13 and the low level driver component, noskrnl.sys, is detected as Trojan.Peacomm.D*..."

* http://www.symantec.com/security_response/writeup.jsp?docid=2007-041222-3056-99


2007-11-15, 00:02

Storm Worm Victims Get Stock Spam Pop-Up
- http://preview.tinyurl.com/3dlq5l
November 13, 2007 - Brian Krebs - "If you're a Windows users and today received a surprise pop-up advertisement urging you to invest in an obscure penny stock, it is highly likely that your computer is infected with the virulent Storm worm, a nasty intruder that currently resides on an estimated 200,000 PCs worldwide. Criminal groups that control the pool of Storm-infected computers have traditionally used those systems to pump out junk e-mail ads touting thinly traded penny stocks as part of an elaborate and ongoing series of "pump-and-dump" schemes. But today, according to security researchers, the Storm worm authors went a step further by causing a pop-up ad for a particular penny stock to be shown on all infected machines. Atlanta-based SecureWorks* tracked the latest Storm activity, which began earlier this morning..."

Are You Infected With Storm?
* http://preview.tinyurl.com/2jqgn3
November 13, 2007 by Joe Stewart - (Secureworks) - "If you saw the following browser window pop up on your desktop today for no apparent reason, you are..."
(Screenshot available at the SecureWorks URL above.)


2007-11-15, 16:45

Storm Brews Over Geocities
- http://blog.trendmicro.com/storm-brews-over-geocities/
November 15th, 2007 - "...There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets... The links contained within the said messages point to various accounts created under the popular Yahoo!-managed Geocities site. However, what appears to be links to personal Web sites hosted on Geocities are actually URLs that redirect... user is coaxed into downloading an “iPix plug-in” (from http: // {BLOCKED}.{BLOCKED}.238.36/ iPIX-install.exe). Unfortunately, the iPix plug-in, which Trend Micro detects as TROJ_ZBOT.BJ, downloads more malicious files..."


2007-11-29, 14:38

- http://www.securitypark.co.uk/security_article.asp?articleid=260134&Categoryid=1
29/11/2007 - "A copycat spam gang has developed a botnet that is currently responsible for more than 20 per cent of all spam in circulation, according to Marshal’s threat research TRACE Team. The botnet now has the ability to distribute similar amounts of spam as the notorious Storm botnet. Marshal has touted the spammers responsible for this botnet the “Celebrity Spam Gang”, owing to their fondness for using celebrity names in their spam. The Celebrity Gang has been building up their botnet since August 2006. They have managed this by spamming out messages with malware attachments that commonly feature subject lines about nude celebrities like Angelina Jolie and Britney Spears but have also promised free games and Windows Security Updates..."
- http://www.marshal.com/trace/traceitem.asp?article=421


2007-11-29, 18:48
Merci, Monsieur!


2007-12-24, 12:02

Anticipated Storm-Bot Attack Begins
- http://isc.sans.org/diary.html?storyid=3778
Last Updated: 2007-12-24 03:41:39 UTC
"Overview and Blocking Information
Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a Christmas-themed stripshow directing victims to merrychristmasdude .com.

The message comes in with a number of subjects:
Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

The body is something similar to:

do you have a min?
This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these...

hxxp: // merry christmasdude .com / ...
Recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.

Under The Hood
The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes. Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control."

More... screenshot available here:
- http://www.disog.org/2007/12/stormworm-is-back-have-merry-christmas.html

and another ref:
- http://asert.arbornetworks.com/2007/12/storm-is-back-dude/

- http://isc.sans.org/diary.html?storyid=3778
Last Updated: 2007-12-24 13:11:38 UTC ...(Version: 3)
"...nice and tidy analysis available at: http://holisticinfosec.blogspot.com/2007/12/storm-bot-stripshow-analysis.html
...There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes. User awareness, as always, is your strongest defense. Cheers and happy holidays, except for you RBN a$$h0735."

- http://www.f-secure.com/weblog/archives/00001349.html
December 24, 2007 - "...The IP address of the site changes every second. We also already detect it earlier as Email-Worm.Win32.Zhelatin.pd ... Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!"
(Screenshot available at the F-secure URL above.)


2007-12-26, 13:04

Happy New Years .... from the Storm Worm
- http://isc.sans.org/diary.html?storyid=3784
Last Updated: 2007-12-25 19:36:34 UTC ...(Version: 3) - "Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information
Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card... The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.

Seen So Far:
A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Update 1:
Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You...

>>> We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.
Under The Hood
As with 'merry christmas dude.com', this domain appears to be registered through nic.ru. It also appears to be hosted on the same fast-flux network, now with at least 8000 nodes.
If you go to that web site, currently the malware file is 'happy2008.exe'. We will add more analysis details throughout the day as we get them.
Update... blog entry from the other day with information about the newest Storm Worm. His blog posting is available at http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html ..."

- http://www.f-secure.com/weblog/archives/00001350.html
"Updated to add: On (Dec)26th we started seeing a new domain: happycards2008.com. The filename has morphed as well, to happy-2008.exe..."


2007-12-27, 15:15

- http://asert.arbornetworks.com/2007/12/storm-and-2008-new-campaign/
December 27, 2007 - "...The filenames were “happy2008.exe”, “happy-2008.exe”, and now “happynewyear.exe”... Again, fast flux DNS (TTLs set to 0 seconds, lots of IPs being cycled in there, nameservers also fast fluxing in the network), open resolver, etc... Be wary of random e-cards from people you’ve never heard of, stay updated with AV, don’t run as administrator, etc..."

- http://isc.sans.org/diary.html?storyid=3784
Last Updated: 2007-12-27 13:39:26 UTC ...(Version: 5)
"Update: ...shortly before 0700 GMT 27-DEC-2007, the Storm Worm has changed the domain name and the executable file name being used to spread yet again. The email messages now refer to the URL http: // new year cards 2008 . com (spaces added) and the file to be downloaded is 'happynewyear.exe'. As with the previous URLs and filename, we recommend applying filters blocks on the domain for both incoming email and outbound web traffic."


2007-12-27, 20:34

Storm switches tactics third time, adds rootkit
- http://preview.tinyurl.com/yqt7q4
December 27, 2007 (Computerworld) - "...The file being shilled today is tagged to "happynewyear.exe." More important is the behind-the-scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Both Marco Giuliani of Prevx* and an independent security researcher named Russ McRee have posted analyses of Storm's cloaking attempt. [Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?)," said McRee on his HolisticInfoSec Web site**. "No more hanging out in the open, easily seen"..."

* http://www.prevx.com/blog/74/Storm-Worm-third-round.html

** http://holisticinfosec.blogspot.com/2007/12/holiday-storm-part-3.html


2007-12-28, 21:17
Add another domain:
- http://blogs.pcmag.com/securitywatch/2007/12/a_stormy_new_year.php
December 28, 2007 - "...Consider the following unsolicited e-mail:
From: ccs @ gotapco.com
Sent: Friday, December 28, 2007
To: Larry Seltzer
Subject: Happy 2008!
Wishes for the New 2008 Year
hxxp: // newyearwithlove .com
DON'T GO TO THAT DOMAIN! If you do, or to one of several others with similar names, you'll be redirected to an HTTP request for an EXE file pushing a trojan horse program. The domains are all registered with an unresponsive Russian registrar. Thirteen different name servers on different networks are listed as authoritative in order to make it harder to bring the domain down. Even more may be added, if necessary, to keep the domain up..."

- http://preview.tinyurl.com/yud8re
December 27, 2007 (Computerworld) - "...According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domain is a "Bill Gudzon" of Los Angeles, Calif., but the contact phone number gave only a constant busy signal. Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said Giuliani*, has already detected more than 400 variants of the version now in circulation."
* http://www.prevx.com/blog/74/Storm-Worm-third-round.html


2007-12-31, 22:52

Is a New Year's Storm a’brewin?
- http://preview.tinyurl.com/3apa67
December 31, 2007 10:40 AM (Symantec Security Response Weblog) - "...The Peacomm gang doesn’t seem content with their recent spam run and have launched a new one. Symantec is currently observing a spam run to celebrate New Years, 2008... Contained in the email is a URL to one of several possible Web sites. What is interesting is the number of recently registered domains involved in this spam run. It looks like another Clause family member- “Larry Clause”- has been very busy over the past few days, registering a number of domains with NIC.RU to aid the spam run. So far we have observed the following sites all involved in the spam run with most being registered to a Larry Clause:
• familypostcards2008.com
• freshcards2008.com
• happy2008toyou.com
• happycards2008.com
• happysantacards.com
• hellosanta2008.com
• hohoho2008.com
• newyearcards2008.com
• newyearwithlove.com
• parentscards.com
• postcards-2008.com
• Santapcards.com
• Santawishes2008.com
If clicked on the user is presented with a plain page with the following text:
'Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!'

Their use of fast flux hosting on botnets makes it very difficult to stop the hosting of this risk... be very cautious of opening greeting cards, especially from people you do not know. Always keep your antivirus software up-to-date and follow safe computing practices..."


2008-01-03, 17:22

Active Storm Worm Domains - Christmas, New Year’s Campaign
- http://preview.tinyurl.com/2ueud4
January 2, 2008 (Arbornetworks) - "Based on a bunch of sources:

All of these are worth blocking by DNS methods (become the local SOA, NXDOMAIN them) and looking for in your emails (look for a simple URL with those domain names near the end of a very short email)...
UPDATE: Added parentscards.com, which is now in use."

2008-01-04, 14:59

- http://preview.tinyurl.com/3cj8m3
January 3, 2008 (TrendMicro blog) - "...The good folks over at the German HoneyNet Project* have some interesting statistics which indicate that, due to renewed efforts over the course of the Christmas and New Year’s holiday, the puppet masters controlling the Storm Botnet managed to increase the Storm Botnet size by more than 200%... given that the newest iterations of Storm includes (and revolves around) a new promulgation of a rootkit component**, it can be somewhat difficult to ascertain specific detection numbers... Social engineering continues to be a major, major threat vector..."

* http://honeyblog.org/archives/156-Measuring-the-Success-Rate-of-Storm-Worm.html

** http://blog.trendmicro.com/storm-gets-new-toys-for-christmas/


2008-01-09, 14:04

Phishing from the Storm Botnet
- http://www.f-secure.com/weblog/archives/00001359.html
January 9, 2008 - "Last night there was a phishing run using the domain i-halifax.com. The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet. Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar: Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm. So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before. But we've been expecting something along these lines. From our end-of-year Data Security Wrap-up:
'October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet.'
This may be what's happening now."
(Screenshots available at the URL above.)

- http://www.fortiguardcenter.com/advisory/FGA-2008-02.html
2008.January.07 - "...As of writing, the phishing run is targeting Barclays customers. All of the emails have a similar body..., and display a typical social engineering speech directed towards users who have a moderate level of awareness. These users are ones who may have heard online banking is subject to some fraudulent computer attacks, but cannot identify one. Phishers often use this social engineering approach for 3 reasons:
1. A security check is a good pretext to ask people to log in to their account
2. The "fear factor" carried by a a security check is a strong incentive for people to actually carry forward
3. Users may feel that since it is a security check, it cannot be an attack the email is referring to ..."
UPDATES: As of 16:00 January 7, 2008 the notified registrar appears to have taken action as the fraudulent Barclays domain in question (linked to by the phishing emails) no longer responds to queries. As of January 8, 2008 new emails emanating from the Storm botnet have been observed by the Fortinet Global Security Research Team which use the same social and domain engineering, however target a different bank: Halifax. This is a precursor that other banks may be targeted as well..."
(Screenshots available at the Fortinet URL above.)

- http://blog.trendmicro.com/a-new-storm-twist-phishing/
January 8, 2008 - "...several domains which where only registered yesterday “popped up” on our internal early warning systems overnight, and surprisingly enough, we started seeing these hosts serving up phishing pages (partial screenshot of Royal Bank of Scotland phish above) today. Another interesting aspect of this turn of events is that these hosts are part of the Storm fast-flux botnet, and we detected them while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities. We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers..."


2008-01-09, 22:38

Stormy Skies - Clearing?
- http://asert.arbornetworks.com/2008/01/stormy-skies-clearing/
January 9th, 2008 - "Seems like NIC.RU has been cleaning house a bit. The recent Storm worm domains appear to have all been cleared up. This domain appears to be dead in both the whois records - it says the domain is locked - and DNS databases.

UPDATED: a short while after it was originally posted to note that -all- domains are dead, not just one or two."


2008-01-16, 04:44

Malicious Code: New Storm Tactic: Valentine's Day:heart:
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=838
January 15, 2008 - "Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code... As with previous Storm emails, various subjects and bodies will be used... 3 different email lures containing 3 different subject lines and message..."

- http://www.f-secure.com/weblog/archives/00001363.html
January 15, 2008 - "Yet another wave of the Storm worm are now being spammed widely and this time it's all about love. They were late for Christmas, just in time for new year and really early for Valentine. The filename being downloaded now is withlove.exe..."

- http://asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
January 15th, 2008 - "...inspection reveals it’s a pointer to a storm node...
Subject lines seen so far:
* A Toast My Love
* Your Love Has Opened
* Sending You My Love ..."

(Screenshots available at all URLs above.)


2008-01-16, 12:46

- http://isc.sans.org/diary.html?storyid=3855
Last Updated: 2008-01-16 10:26:18 UTC - "...The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address... only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works..."


2008-01-16, 18:43
FYI... (current "Subject" and attachment list - Storm e-mail SPAM list)

- http://preview.tinyurl.com/2r6gma
January 16, 2008 (Symantec Security Response Weblog) - "...The subjects and bodies we have seen so far include the following (many are recycled from the Storm worm's 2007 Valentine's Day campaign:heart:):

• A Dream is a Wish • A Is For Attitude • A Kiss So Gentle • A Rose
• A Rose for My Love • A Toast My Love • Come Dance with Me
• Come Relax with Me • Dream of You • Eternal Love
• Eternity of Your Love • Falling In Love with You • For You....My Love
• Heavenly Love • Hugging My Pillow • I Love You Because
• I Love You Soo Much • I Love You with All I Am • I Would Dream
• If Loving You • In Your Arms • Inside My Heart • Love Remains
• Memories of You|A Token of My Love • Miracle of Love
• Our Love is Free • Our Love Nest • Our Love Will Last
• Pages from My Heart • Path We Share • Sending You All My Love
• Sending You My Love • Sent with Love • Special Romance
• Surrounded by Love • The Dance of Love • The Mood for Love
• The Time for Love • When Love Comes Knocking • When You Fall in Love
• Why I Love You • Words in my Heart • Wrapped in Your Arms
• You... In My Dreams • Your Friend and Lover • Your Love Has Opened
• You're my Dream

Attachment Name:
• withlove.exe
• with_love.exe ..."


2008-01-18, 15:56
Interesting site - "Storm Tracker":

> http://www.trustedsource.org/TS?do=threats&subdo=storm_tracker
Daily New Web Proxy IPs
Most Active Storm Web Proxy IPs
Top Storm Domains
Newly Activated Storm Web Proxy IPs
Recently Seen Storm Web Proxy IPs
Geolocation of Storm Web Proxy IPs


2008-01-30, 11:19

New Storm tactic: Medical spam sites
- http://www.websense.com/securitylabs/blog/blog.php?BlogID=170
Jan 29 2008 - "...Storm worm has changed spamming tactics. Spam sent by infected hosts contain links of the format:
http ://(IP address)/(short random directory name)
These links redirect users to medical spam sites, but the links are still infected at the root level (e.g. http ://IP address/). The redirects help these medical spam sites attempt to evade spam filters..."

- http://blog.trendmicro.com/storm-now-serving-bad-medicine/
January 31, 2008

(Screenshot available at both URLs above.)


2008-02-04, 14:41

- http://www.marshal.com/pages/newsitem.asp?article=503&thesection=news
31 January 2008 – "...Storm is one of five botnets that we have been monitoring that we believe are responsible for approximately 75 per cent of all spam in circulation. One particular botnet which heavily promotes a certain brand of male enhancement pills accounts for nearly 30 per cent. This one bot has already exceeded Storm’s records and it has done it quietly without attracting too much attention. This might signal a new strategy by some of the spam crews to try and draw less attention to themselves through high profile email campaigns... It is also possible that the individuals behind the Storm botnet are responsible for one or more of these new botnets. These people are smart and one lesson they may have learned from Storm is to stay under the radar if they want to remain successful. There is a lot of crossover with the products being promoted by all five of these botnets. This could indicate some sort of connection between them...”

- http://preview.tinyurl.com/2zlwao
February 4, 2008 (Computerworld) - "...Mega-D has borrowed a few tricks from Storm, such as operating in Asian countries typified by high broadband penetration and poor use of anti-virus, using Trojans to dodge signature-based removal techniques and proliferating over peer-to-peer networks... Mega-D has targeted Facebook users with a fake invites that downloads the Trojan using a phony Flash Player update. More than 70 percent of global spam is sent from botnets Mega-D, Pushdo, HTML, One Word Sub and Storm..."

- http://www.marshal.com/trace/traceitem.asp?article=510
February 4, 2008


2008-02-05, 14:51
Eye on the botnets...

- http://www.darkreading.com/document.asp?doc_id=144919&print=true
FEBRUARY 4, 2008 - "A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs. The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year... The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP)... Damballa is not sure why AV engines aren't detecting MayDay's malware... The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware...
As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal...
So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike. Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says."

- http://asert.arbornetworks.com/2008/02/mega-d-spambot-follow-up/
February 5, 2008 - Mega-D Spambot Follow-up

- http://asert.arbornetworks.com/2008/02/secureworks-ozdokmega-d-trojan-analysis/
February 11, 2008 - "Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D. It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here*, as well as some detailed bits on behaviors of the Trojan itself..."
* http://www.secureworks.com/research/threats/ozdok/?threat=ozdok
February 11, 2008


2008-02-07, 22:41

Storm Worm's Family Tree
- http://blog.washingtonpost.com/securityfix/2008/02/the_storm_worms_family_tree_1.html
February 7, 2008
(Detailed study on the history of "Storm", 'way too many links to post here. Good job Brian!)


2008-02-11, 15:28

Storm Worm Valentine's Day Update
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080210
February 10, 2008 - "...Storm Worm has once again undergone another change as Valentine's Day is approaching. Fresh with 8 different rotating Valentine's Day images and a new executable named valentine.exe (may sound familiar), the Storm Worm may be gearing up for a new round of assaults on inboxes. It would appear that the domains are no longer serving up wildcard .gif files related to their stock spams. Instead we have eight .gif images ranging from 1.gif on up to 8.gif. After a few moments you'll be prompted to download the binary... a peak at the 8 images..."

- http://blog.trendmicro.com/storm-sure-loves-everybody/
February 11, 2008 - "...The spammed email messages are just plain text, but these contain links that lead to malicious Web sites displaying one of eight cute Valentine images..."

(Screenshots available at the URL's above.)


2008-02-13, 00:08

Stormworms spammy love notes
- http://isc.sans.org/diary.html?storyid=3979
Last Updated: 2008-02-12 22:42:30 UTC - "We received several reports of spam containing Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is changing rapidly so AV detection based on MD5 or other hash values is not reliable. We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm... Jose Nazario of Arbornetworks has some additional about this at:
http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/ ..."
"...Poor AV detection (via VirusTotal), but humans can spot this a mile away."


2008-02-28, 00:17

Botnet wars?
- http://blog.trendmicro.com/rtkt_pushuac-rootkit-remover/
February 27, 2008 - "A malware removes rootkits? There has to be a catch here. Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components..."


2008-03-03, 12:55

Storm Reactivating
- http://www.f-secure.com/weblog/archives/00001392.html
March 3, 2008 - " We haven't seen new Storm sites since the spam run they did over Valentine's Day… until early this morning. Right now they are sending a wide variety of mails regarding ecards... Depending on what you do, you end up with either e-card.exe (clicking the picture), e-card.exe (clicking the link) or postcard.exe (waiting for a few seconds). The files are variable but they always do the same thing: infect your system with the latest Storm/Zhelatin variant..."
(Screenshots available at the F-secure URL above.)

- http://isc.sans.org/diary.html?storyid=4054
Last Updated: 2008-03-03 08:18:58 UTC - "...Well, Storm is back, and back to generic e-Card spam... some Subjects and Contents to watch for:

Your ecard joke is waiting
You have an ecard
We have a ecard surprise
Someone Just sent you an ecard
Did you open your ecard yet
ecard waiting for you
Open your ecard
new ecard waiting
Now this is funny
online greeting waiting
sent you an ecard

laughing Funny Card
You have been sent a Funny Postcard
You have been sent the Funny Ecard
original Funny Card
Someone Sent you this Funny Ecard
your funny postcard
original Funny Postcard
sent a Funny Postcard
personal funny postcard
laughing funny postcard

Watch your inbox, and lets hope the AV vendors jump on this quickly."


2008-04-01, 00:24

- http://www.f-secure.com/weblog/archives/00001410.html
March 31, 2008 19:45 GMT - " A wave of April Fool's Day related Storm (e)mails have just been sent out. Similar as the other times with a link that points to an IP address... if you receive one of these emails, don't click on the link."
(Screenshots available at the URL above.)

- http://isc.sans.org/diary.html?storyid=4222
Last Updated: 2008-03-31 21:00:07 UTC - "...Again a various list of subjects come with this release:
All Fools' Day
Doh! All's Fool.
Doh! April's Fool.
Gotcha! All Fool!
Gotcha! April Fool!
Happy All Fool's Day.
Happy All Fools Day!
Happy All Fools!
Happy April Fool's Day.
Happy April Fools Day!
Happy Fools Day!
I am a Fool for your Love
Join the Laugh-A-Lot!
Just You
One who is sportively imposed upon by others on the first day of April
Surprise! The joke's on you.
Today You Can Officially Act Foolish
Today's Joke!
...The download is a binary, also with varying names:
...Virus coverage is poor with the samples we've captured, but we're working with the AV vendors to improve that..."

April Storm’s Day Campaign
- http://asert.arbornetworks.com/2008/03/april-storms-day-campaign
March 31, 2008 - "...here are the specifics for this variant:
* Peerlist: C:\WINDOWS\aromis.config
* Installs as: C:\WINDOWS\aromis.exe
* As always, listens on a random UDP port, makes a lot of outbound connections, allows itself to the firewall via “netsh firewall set” and via the registry, uses w32tm to update its clock, and so on."


2008-04-07, 22:47

- http://forums.spybot.info/showpost.php?p=180027&postcount=22
April 7, 2008

- http://www.avertlabs.com/research/blog/index.php/2008/04/07/nuwar-loves-you-not/
April 7, 2008


2008-04-09, 12:13

- http://blog.trendmicro.com/storm-now-on-video/
April 8, 2008 - "...only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec. TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec... Is that blatant enough? Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ... If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it... the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006..."

(Screenshot available at the URL above.)


2008-05-06, 13:22

- http://preview.tinyurl.com/4swsc8
May 5, 2008 (Symantec Security Response Weblog) - "No sooner had various agencies commented on the reduction of the size of the Storm network than we started seeing signs of another wave of malware in the offing. We are currently tracking some fast-flux domains related to Trojan.Peacomm (a.k.a. Storm). These domains were registered just a few days ago. Simply visiting the sites presents the user with a blank page; however, modifying the URLs to access a specific file runs a script which attempts to exploit several different vulnerabilities... The domains being tracked are not currently being linked to. This could mean that either the sites are still under development, or that the authors are planning to use a different technique to spread their creations. If the reason is the former, then a spam wave should be expected in the coming days and this upcoming Mother’s Day could be used as a lure... Only time will allow the method employed in this wave of attacks to be confirmed. This is definitely an interesting development in the story of the Storm worm. We urge users to keep their antivirus product signatures up to date. Although it is important to ensure that operating system patches are up-to-date, most of the vulnerabilities being targeted by this malware are related to third-party products*..."

(More detail at the URL above.)

* Test 3rd party software here: http://secunia.com/software_inspector/


2008-05-20, 18:06
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

Storm Worm new activity...
- http://ddanchev.blogspot.com/2008/05/all-you-need-is-storm-worms-love.html
May 20, 2008 - "The Storm Worm malware launched yet another spam campaign promoting links to malware serving hosts, in between a SQL injection related to Storm Worm. These are Storm Worm's latest domains where the infected hosts try to phone back :
cadeaux-avenue .cn (active)
polkerdesign .cn (active)
tellicolakerealty .cn (active and SQL injected at vulnerable sites)
Administrative Email for the three emails: glinson156 @ yahoo.com

Related DNS servers for the latest campaign:
ns .orthelike .com
ns2 .orthelike .com
ns3 .orthelike .com
ns4 .orthelike .com
ns .likenewvideos .com
ns2 .likenewvideos .com
ns3 .likenewvideos .com
ns4 .likenewvideos .com

Storm Worm related domains which are now down:
centerprop .cn
apartment-mall .cn
stateandfed .cn
phillipsdminc .cn
apartment-mall .cn
biggetonething .cn
gasperoblue .cn
giftapplys .cn
gribontruck .cn
ibank-halifax .com
limpodrift .cn
loveinlive .cn
newoneforyou .cn
normocock .cn
orthelike .com
supersameas .com
thingforyoutoo .cn
One of the domains that is injected as an iFrame is using ns .likenewvideos .com as DNS server, whereas likenewvideos .com is currently suspended due to 'violating Spam Policy'. Precisely."


2008-06-02, 23:06

New Storm tactic
- http://sunbeltblog.blogspot.com/2008/06/new-storm-tactic.html
June 02, 2008
(Screenshot available at the Sunbelt blog URL above.)

- http://isc.sans.org/diary.html?storyid=4516
Last Updated: 2008-06-02 21:11:49 UTC - "New Stormworm download site... is being spammed out with a message that states: 'Crazy in love with you'
hxxp ://122 .118 .131 .58
I checked that site and could only find an index.html, lr.gif and loveyou.exe. lr.gif is a gif file that says 'love riddles'. Index.html encourages visitors to run loveyou.exe by asking ‘Who is loving you? Do you want to know? Just click here and choose either “Open” or “Run”’. loveyou.exe is a version of Trojan.Peacom.D aka Stormworm. I recommend you block this ip address till it gets cleaned up."

Look for your AV updates shortly...


2008-06-04, 13:25

- http://blog.trendmicro.com/storm-meddles-in-matters-of-the-heart/
June 3, 2008 - "...A new trickle of Storm-related spam has been seen, again hewing to themes of love and romance. Perhaps said authors believe this run will be a runaway success, since June is widely held as the most popular month for weddings?... email subjects read “Stand by my side,” “I want to be with you,” and “Lucky to have you”—simple statements dripping with sincerity, or so spammers hope, to get unsuspecting users hooked. The said subject lines differ from the one-liners that make up the message body, alongside malicious IP addresses that don’t bother to ask users to click on them. But if the curious do click on these, they are redirected... This is where they are then asked to “click here” and choose “Open” or “Run”—but not before they are made to read teasers hinting of secret admirers: “Who is loving you? Do you want to know?” And if they dare to find out, the “secret admirer” turns out to be a file named LOVEYOU.EXE, which Trend Micro detects as WORM_NUWAR.BC. Heart-related themes have been used time and again as spam baits. Because of its popularity, this is a theme that will probably last a lifetime, if users continue to fall for its schemes..."
(Screenshots available at the URL above.)

- http://www.f-secure.com/weblog/archives/00001452.html
June 4, 2008 - "Despite reports of Storm being killed off, it's still very much alive... While the Storm botnet certainly isn't as big as it used to be, it's definitely one of the most persistent botnets we've ever seen… and we've not seen the last of it."


2008-06-19, 19:36

New Storm Worm Variant Spreading
- http://www.us-cert.gov/current/#new_storm_worm_variant_spreads2
June 19, 2008 - " US-CERT has received reports of new Storm Worm related activity. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that when opened may run the executable file "beijing.exe" to infect the user's system with malicious code. Subject lines can change at any time, but the following subject lines are noted as being used:
* The most powerful quake hits China
* Countless victims of earthquake in China
* Death toll in China is growing
* Recent earthquake in china took a heavy toll
* Recent china earthquake kills million
* China is paralyzed by new earthquake
* Death toll in China exceeds 1000000
* A new powerful disaster in China
* A new deadly catastrophe in China
* 2008 Olympic Games are under the threat
* China's most deadly earthquake ..."

- http://www.f-secure.com/weblog/archives/00001457.html
June 19, 2008
(Screenshots available at the F-secure URL above.)

- http://www.sophos.com/security/blog/2008/06/1500.html
19 June 2008 - "...the .cn domains linked by the spam messages are likely part of a botnet. Each query to the nameservers for these domains returns a different IP address, indicating fast-flux behavior. The domains also serve webpages using the same web server seen in a number of botnet campaigns..."


2008-06-21, 11:56

- http://www.f-secure.com/weblog/archives/00001459.html
June 20, 2008 - "... big increase in emails going around with all sorts of interesting subjects... long list of different subjects - too long to list them all here so we've put them in a downloadable TXT file* instead. All mails contain a link to different compromised sites which all contain the same fake Porntube page. Once there the page shows an error message telling the user that they need to install a Video ActiveX component. The file that gets downloaded is spam trojan that sends out lots of emails with links pointing back to the compromised sites... The list of compromised sites is pretty extensive as well, we've been able to identify 74 different sites so far whereof only a handful have been fixed... the file that gets downloaded, video.exe..."

* http://www.f-secure.com/weblog/archives/agent_tyw_subjects.txt


2008-07-02, 19:26

Fast Flux and New Domains for Storm
- http://asert.arbornetworks.com/2008/06/fast-flux-and-new-domains-for-storm/
June 28, 2008 - "...some of our ATLAS fast flux data*... Storm Worm has begun using new fast flux domains... Storm has changed its tactics constantly in the past year and a half, and this “love theme” is nothing new. We’ll see how long this theme lasts.
UPDATE 1 July 2008 - Here’s a full list of domains:
superlovelyric.com NS ns.verynicebank.com
bestlovelyric.com NS ns.verynicebank.com
makingloveworld.com NS ns.verynicebank.com
wholoveguide.com NS ns.verynicebank.com
gonelovelife.com NS ns.verynicebank.com
loveisknowlege.com NS ns.verynicebank.com
lovekingonline.com NS ns.verynicebank.com
lovemarkonline.com NS ns.verynicebank.com
makingadore.com NS ns.verynicebank.com
greatadore.com NS ns.verynicebank.com
loveoursite.com NS ns.verynicebank.com
musiconelove.com NS ns.verynicebank.com
knowholove.com NS ns.verynicebank.com
whoisknowlove.com NS ns.verynicebank.com
theplaylove.com NS ns.verynicebank.com
wantcherish.com NS ns.verynicebank.com
verynicebank.com NS ns.verynicebank.com
shelovehimtoo.com NS ns.verynicebank.com
makeloveforever.com NS ns.verynicebank.com
wholovedirect.com NS ns.verynicebank.com
grupogaleria.cn NS ns.verynicebank.com
activeware.cn NS ns.verynicebank.com
nationwide2u.cn NS ns.verynicebank.com ..."

* http://atlas.arbor.net/summary/fastflux
"Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware..."

Also see "Top Storm Domains":
- http://www.trustedsource.org/en/threats/storm_tracker


2008-07-04, 14:11

Storm Botnet ...Fireworks
- http://isc.sans.org/diary.html?storyid=4669
Last Updated: 2008-07-04 02:57:16 UTC - "I read about MX Logic's prediction this morning ( http://preview.tinyurl.com/5hlcxb ) that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure. This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started. There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe. Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here:
I'm sure that the list will continue to grow. I'd recommend that you play it safe by blocking all attempts to download fireworks.exe at your perimeter..."

- http://securitylabs.websense.com/content/Alerts/3131.aspx
07.04.2008 (Screenshots...)


2008-07-09, 16:06

New Storm Worm Variant Spreading
- http://www.us-cert.gov/current/#new_storm_worm_varient_spreading
July 9, 2008 - "US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East. This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user's system with malicious code.
* A video that, when opened, may run the executable file "iran_occupation.exe."
* A banner add that, when clicked, may run the executable file "form.exe."
* A hidden iframe linked to "ind.php."
Reports, including a posting by Sophos**, indicate that the following subject lines are being used. Please note that subject lines can change at any time..."

** http://www.sophos.com/security/blog/2008/07/1569.html
9 July 2008

- http://ddanchev.blogspot.com/2008/07/storm-worms-us-invasion-of-iran.html
July 09, 2008

Fake news on World War III
- http://securitylabs.websense.com/content/Alerts/3132.aspx
07.09.2008 (Screenshots...)


2008-07-12, 15:16

AVG - AVI 270.4.9/ 1548
- http://www.grisoft.com/us.news
July 12, 2008
"...new variant of I-Worm/Nuwar..."

This -is- a variant of the Storm worm.

Other AV defs to follow suit, if they haven't already. Check yours...


2008-07-12, 23:00
Once again - same stuff, SAME DAY:

AVI 270.4.10/ 1549
- http://www.grisoft.com/us.news
July 12, 2008
"...new variant of I-Worm/Nuwar..."

This -is- yet another variant of the Storm worm.

Other AV defs to follow suit, if they haven't already. Check yours, again...


2008-07-22, 22:28

New malicious Storm Worm campaign: American currency
- http://securitylabs.websense.com/content/Alerts/3137.aspx
07.22.2008 - "Websense... has discovered a new Storm Worm campaign around the theme of the U.S. credit crunch. We have detected a series of email subject lines used to entice users into downloading a Trojan. Here are a few examples of the subjects we have seen in this campaign:
- The new currency is coming
- Amero arrives
- Amero currency Union is now the reality
- The AMERO currency replacing the Dollar ...
Clicking the link... directs users to a site laden with drive-by exploits inside of a script file... In typical Storm Worm fashion, infection success rate is highly dependant on the social engineering tactic employed and thus the malicious file in this campaign is appropriately named amero.exe."


2008-07-29, 22:42

- http://www.us-cert.gov/current/#new_storm_worm_activity_spreading
July 29, 2008 - "US-CERT is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file "fbi_facebook.exe" to infect the user's system with malicious code. Reports, including a posting by Sophos*, indicate the following email subject lines are being used. Please note that subject lines can change at any time.
- F.B.I. may strike Facebook
- F.B.I. watching us
- The FBI's plan to "profile" Facebook
- The FBI has a new way of tracking Facebook
- F.B.I. are spying on your Facebook profiles
- F.B.I. busts alleged Facebook
- Get Facebook's F.B.I. Files
- Facebook's F.B.I. ties
- F.B.I. watching you ..."
* http://www.sophos.com/security/blog/2008/07/1599.html

- http://www.f-secure.com/weblog/archives/00001475.html
July 28, 2008

- http://www.virustotal.com/analisis/c167dc2525ed6a83b889ff53f0499231
07.28.2008 - Result: 17/35 (48.57%)

- http://www.fbi.gov/pressrel/pressrel08/stormworm073008.htm
July 30, 2008


2008-08-06, 01:49

- http://blog.trendmicro.com/storm-uses-old-bait/
August 5, 2008 - "The Storm gang is casting its net once again — using “postcards” as bait in a recently discovered spam run... Clicking the link embedded in the message connects the user to the any of the following domains:
* hxxp:// {BLOCKED}cardAdvertising.com/
* hxxp:// {BLOCKED}ettercard.com/
* hxxp:// {BLOCKED}ostcardArt.com/
* hxxp:// {BLOCKED}ostcardmail.com
* hxxp:// {BLOCKED}reetingcard.com/
* hxxp:// {BLOCKED}stcardOnline.com/
* hxxp:// {BLOCKED}ttercard.com/
...When the abovementioned page loads, an auto-redirect occurs after 3 seconds, prompting the user to download a file named postcard.exe... The same file, postcard.exe, is also downloaded if the user clicks on the link save it on the Web page. postcard.exe is detected as TROJ_NUWAR.DDJ... it is plausible that the Storm gang is using this constant change in technique to evade spam and URL filtering blocking. Storm’s has been known to constantly change its employed social engineering technique, the most recent ones being news of terrorists on social networking networks, economic issues, and fake videos of popular celebrities..."

(Screenshots available at the Trendmicro URL above.)