Stormworm Tactics Change to Football Fungus
Some recent changes involving storm:
Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:
From 15:44 to ~17:00 the index page showed:
Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.
Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.
UPDATE: Binary is now called 'tracker.exe'
Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:
2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1
From 15:44 to ~17:00 the index page showed:
Welcome to nginx!
Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.
(DISOG Screen Capture: Sept 8, 2007)
Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.
UPDATE: Binary is now called 'tracker.exe'
posted by Nicholas at
17:20
5 Comments:
And the spam came in this morning...
Subject: Get Your Free NFL Game Tracker
Football......Need we say more?
We want you to have all the details for every game this football season.
Get all the info you need from our online game tracker:
http:// 58 . 79 . 110 . 12
Season is open.... and we do mean FOOTBALL!
Have the details for every game, provided every day.
Stay informed for every game with our free game page:
http://74 .72 .127 .59/
As you can see the template varies slightly, however 'the details for every game' and ending with 'http://[0-9].*\.[0-9]' seems to be common enough to create an IDS signature.
Great job guys! Please keep it coming.
I've been trying to get the stage 2 executable(for reverse engineering purposes) which is downloaded by the worm, but i was unable to get it from the p2p net.
The bot would simply update its peer lists and sit idle. Changing delay (15minutes) it queries the p2p network to a lesser value just gets more peers, but does not download any file. Did they stop updating the clients? If not, do you have a link or filename of the stage 2 executable?
he bot would simply update its peer lists and sit idle. Changing delay (15minutes) it queries the p2p network to a lesser value just gets more peers, but does not download any file. Did they stop updating the clients?
ViruX>
We have the same issue. Our honeypots have been sitting mostly idle for the last three days. All we've seen are attempted outbound DDoS.
We will continue monitoring those honeypots and update the blog with any changes.
Nicholas
Post a Comment
<< Home