« October 2007 · April 2008 · March 2010 »

December 2007
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      
January 2008
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28293031   
February 2008
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
2526272829  

Calendar:

  • 29.02.2008: ISO4 Conference - Sunnyvale California, United States
  • 20.02.2008: NSP-SEC Summit - San Jose California, United States
  • 18.02.2008: Gambling Websites Under Attack
  • 10.02.2008: Storm Worm Valentine's Day Update
  • 09.02.2008: Inbot08 Conference - Aachen, Germany
  • 30.01.2008: Citigroup BITS - New York, United States
  • 28.01.2008: Storm Worm & Stock Spam - The Never Ending Bag of Tricks
  • 09.01.2008: Storm Worm Domains Offline
  • 08.01.2008: Storm goes phishing?
  • 07.01.2008: Storm Worm and Stock Spam
  • 06.01.2008: RBN as RBusiness Network AS40898 - Clarifying the guesswork of Criminal Activity
  • 02.01.2008: See below.
  • 19.12.2007: MSISAC National Webcast - Albany New York, United States
Newest first Oldest first

Wednesday, 2 January 2008

Happy New Year to All!

On this page... (hide)

The Shadowserver Team would like to wish everyone a Happy New Year. Part of our New Year's resolution is to start publishing/blogging more updates about the research we are doing, what we are seeing, and what might interest you. While we may not often publish a lot, that does not mean we aren't closely following or fully aware of what is going on. With that in mind, we'd like to just make a small entry today regarding the Storm Worm (also known as Zhelatin, Peacomm, Nuwar, Tibs) and what it has been up to in the past ten days or so.

Storm Worm

As of today (January 2nd) the Storm Worm has really slowed down quite a bit. There is far less traffic from it as its main targets, Christmas and the New Year, have since past. However, that doesn't mean the threat is gone. There are still plenty of e-mail inboxes with unread Storm Worm messages in them. Soon plenty of people will be coming back from vacation and opening themselves up to risk. Starting on December 24, 2007, the Storm Worm performed a full blitz against e-mail servers across the Internet. The tactics were pretty much the same this go around. Tons of e-mail spammed out enticing recipients to click a link to a website and download a file to infect themselves. Of course there was also an iframe pointing to exploit code just in case they did not opt to download the file. However, not everything was quite the same this time. In the past all of the e-mails sent out involved a short message and a link pointing to an IP address that served up exploits and malware. This time though all of the e-mails contained a short message and actual domain names instead of IP addresses.

No big deal right? Just take down the domain name or the IP address it's hosted on. Well, actually it is a little more complicated than that. First, the domain names were registered with nic.ru. Several attempts to contact them so far have not yielded responses. According to a posting by Spamhaus they have also tried rather vigorously and have not been successful. Additionally, there are reports that they are on vacation and might not return until tomorrow or later. Well, no problem we can just get the web host to shut them off, right? Well, not when the domain is on a fast flux network, and of course that is what we are dealing with here. Resolving any of the new Storm Worm domains sent out in the e-mails will also certain result in a new IP address each time you resolve it. The time to live (TTL) for the A record is set to 0. Since there are thousands of infected hosts taking part in this network, you could spend all month attempting to take down the IPs the domains resolves to and barely end up taking a dent out of the network. With this combination of fast flux DNS techniques and registrar that's missing in action, this new Storm Worm attack suddenly becomes a lot more difficult to defend against.

Are these the first domain names used by the Storm Worm? No, not exactly. In the past they have used the same fast flux techniques with several different domain names. However, the infected nodes used these domain names to retrieve the IP addresses that to be spammed out in their past e-mails. The domain names themselves were not actually included in the e-mail message. These other domains were all registered with ESTDOMAINS and as of right now are all in a suspended state. However, we encourage you NOT to visit these domains regardless out of safety.

Old Storm Worm Domains

  • bnably.com
  • eqcorn.com
  • fncarp.com
  • kqfloat.com
  • ltbrew.com
  • ptowl.com
  • qavoter.com
  • snbane.com
  • snlilac.com
  • tibeam.com
  • tushove.com
  • wxtaste.com
  • yxbegan.com

Holiday Attacks

With our latest wave of holiday attacks, we saw several different domain names registered at nic.ru and used by the Storm Worm crew. The initial wave involved the domain name "merrychristmasdude.com" (please do not visit - live domain serving malware) and was far more elaborate than its current state. Like some of the more recent Storm Worm attacks, the website recipients were enticed to visit actually had a theme to it. In this case there were scantily clad women in Christmas outfits. As a visitor to the website you were invited to "Get Your Personal Holiday Strip Show Today" with a free download. As previously mentioned, this page also had an iframe that pointed to exploit code. The website looked like this (click to view larger image):

Christmas Storm Worm

Shortly after Christmas came the website changed to a very generic page that simply attempted to get the users to download a file and did not contain any malicious code (in the HTML source). The images and theme went away and we replaced by a simple white background and black text that reads as follows:

Your download should begin shortly. If your download does not start in approximately 15 seconds,
you can click here to launch the download and then press Run. Enjoy!

The name of executable file they offered by the "click here" link changed several times along with the domain name being used. As of today there are at least 15 domain names that have been associated with this holiday attack from the Storm Worm crew. Please note that as of the time of this posting, these domain names are presently active and should NOT be visited.

Recent Holiday Storm Worm Domains

  • familypostcards2008.com
  • freshcards2008.com
  • happy2008toyou.com
  • happycards2008.com
  • happysantacards.com
  • hellosanta2008.com
  • hohoho2008.com
  • merrychristmasdude.com
  • newyearcards2008.com
  • newyearwithlove.com
  • parentscards.com
  • postcards-2008.com
  • santapcards.com
  • santawishes2008.com
  • uhavepostcard.com

AV Results

As with previous version of the Storm Worm, the binary itself changes with relative frequency. This primarily serves to keep ahead of antivirus (AV) vendors and is often rather successful. Right now most AV software is doing a pretty good job of detecting the latest variant. Sending in a copy of it to VirusTotal resulted in 24 out of 32 (75%) of the AV engines were able to detect it. While it is a game of cat and mouse, having AV software could definitely do some good with threats like this lurking about.

Antivirus Version Last Update
AhnLab-V3 2008.1.3.10 Wednesday, 2 January 2008 Win32/Zhelatin.worm.143873.B
AntiVir 7.6.0.46 Wednesday, 2 January 2008 TR/Crypt.XDR.Gen
Authentium 4.93.8 Wednesday, 2 January 2008 W32/StormWorm.W
Avast 4.7.1098.0 Wednesday, 2 January 2008 Win32:Zhelatin-ASX
AVG 7.5.0.516 Wednesday, 2 January 2008 Dropper.Generic.TOL
BitDefender 7.2 Thursday, 3 January 2008 Trojan.Agent.AGIU
CAT-QuickHeal 9.00 Wednesday, 2 January 2008 -
ClamAV 0.91.2 Wednesday, 2 January 2008 Trojan.Peed-80
DrWeb 4.44.0.09170 Wednesday, 2 January 2008 Trojan.Spambot.2562
eSafe 7.0.15.0 Wednesday, 2 January 2008 -
eTrust-Vet 31.3.5426 Thursday, 3 January 2008 Win32/Sintun.AY
Ewido 4.0 Wednesday, 2 January 2008 -
FileAdvisor 1 Thursday, 3 January 2008 -
Fortinet 3.14.0.0 Wednesday, 2 January 2008 W32/Tibs.G@mm
F-Prot 4.4.2.54 Wednesday, 2 January 2008 W32/StormWorm.W
F-Secure 6.70.13030.0 Thursday, 3 January 2008 Email-Worm.Win32.Zhelatin.qa
Ikarus T3.1.1.15 Thursday, 3 January 2008 Email-Worm.Win32.Zhelatin.qa
Kaspersky 7.0.0.125 Thursday, 3 January 2008 Email-Worm.Win32.Zhelatin.qa
McAfee 5198 Thursday, 3 January 2008 W32/Nuwar@MM
Microsoft 1.3109 Thursday, 3 January 2008 Backdoor:Win32/Nuwar.gen!A
NOD32v2 2762 Thursday, 3 January 2008 Win32/Nuwar.BF
Norman 5.80.02 Wednesday, 2 January 2008 Tibs.BFZU
Panda 9.0.0.4 Thursday, 3 January 2008 W32/Nuwar.NL.worm
Prevx1 V2 Thursday, 3 January 2008 Stormy:Worm-All
Rising 20.25.22.00 Wednesday, 2 January 2008 -
Sophos 4.24.0 Thursday, 3 January 2008 Troj/Dorf-AO
Sunbelt 2.2.907.0 Thursday, 3 January 2008 -
Symantec 10 Thursday, 3 January 2008 Trojan.Peacomm.D
TheHacker 6.2.9.178 Thursday, 3 January 2008 -
VBA32 3.12.2.5 Wednesday, 2 January 2008 -
VirusBuster 4.3.26:9 Wednesday, 2 January 2008 Trojan.DR.DL.Tibs.JP
Webwasher-Gateway 6.6.2 Thursday, 3 January 2008 Trojan.Crypt.XDR.Gen
If you are interested in seeing the VirusTotal report, you can find it by visiting the following URL: http://www.virustotal.com/analisis/f808bafdf9a6be62afed8824b8b94786

Recent File Names

  • happy_2008.exe*
  • happy2008.exe
  • happy-2008.exe
  • happynewyear.exe
  • happynewyear2008.exe
  • stripshow.exe
*Denotes the current file name as of this posting.

Storm Web Source

In the later stages of the recent Storm Worm wave, viewing the source of the website would reveal an JavaScript and an obfuscated file name. The authors made use of document.write and the unescape function to hide the binary name in the source. It appears the authors attempted to make those viewing the source think that filename was either "fck2008.exe" or "fck2009.exe". However, simply doing a mouse over the hyperlink or actually attempting to download the file would also reveal the filename. The following is an image of the source of the website, so not to trigger AV software.

Christmas Twist

Finally, in an interesting twist in the already dramatic Storm Worm saga, we also discovered that starting on December 24, 2007 that Google's Blogger Service also known as Blogspot was being used to spread the Storm Worm on a decently large scale. We are seeing legitimate web logs on Blogspot updated with brief posts encouraging readers to visit the above mentioned Storm Worm domains. These were apparently either compromised blogs or users infected with Storm Worm that were having their blogs updated without their knowledge. Google has done a pretty good job of getting them taken down (by disabling the blogs) thus far. The initial response was a little slow as it probably had not yet been brought to their attention. Google should be used to this as they have increasingly seen their Blogger service used for these type of attacks. In fact it seems that the Storm Worm had also used a similar tactic back in August. Users need to be trained to look for this sort of activity regardless of where it comes from.

If you have any questions about the Storm Worm or any of the work we do, feel free to click on the Contact Us link on the left menu and drop us a line. Have a Happy New Year and browse safely!