Wednesday, August 29, 2007

Storm Worm's use of Dropped Domains

The daily updated Bleedingthreats.org's Rules to block Storm worm DNS and C&C keeps growing at a significant speed, and with the group behind Storm Worm constantly changing the social engineering tactics -- but continuing to exploit already patched vulnerabilities in case the user doesn't self infect herself -- anti virus vendors are literally crunching out new signatures for yet another Storm Worm variant. Reactive response is a daily reality, however, proactive response such as making sure your customers cannot have their browsers automatically exploited even if they follow Storm Worm's IP links, is far more pragmatic, and the results can be easily evaluated while the mass mailing campaign is still active online. Here's an interesting list especially the fact that pretty much all of these domains were purchased as "dropped" ones, and are again part of the BYDLOSHKA campaign with a static domain.com/ind.php structure :

tushove.com; tibeam.com; kqfloat.com; snbane.com; yxbegan.com; snlilac.com; qavoter.com; ptowl.com; wxtaste.com; eqcorn.com; ltbrew.com; bnably.com; fncarp.com

The obfuscated javascript exploiting the browser vulnerabilities still includes offensive language against an anti virus vendor. Moreover, in case you remember the second Storm Worm wave had a very creative feature, namely to automatically inject a malicious URL in a forum or blog post, right after the infected party has authenticated herself in order for the malware to not have to figure out how to bypass the authentication. As it looks like, the current campaign has also hit Blogger and many other forums as well.