Friday, December 28, 2007

Riders on the Storm Worm

During the last couple of days the folks behind Storm Worm have started using several new, and highly descriptive domains. It seems they've also changed the layout as well, and despite that the exploit IFRAME is now gone, automatically registered Blogspot accounts are also disseminating links to the domains. Some of these have been registered as of recently, others have been around in a blackhat SEO operation for a while and are getting used as a foundation for the campaign. These are all known Storm Worm fast-fluxed domains for the time being :

merrychristmasdude.com
happycards2008.com
uhavepostcard.com
newyearwithlove.com
newyearcards2008.com


_happycards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com




_uhavepostcard.com
Administrative, Technical Contact
Contact Name: Kerry Corsten
Contact E-mail: kryport2000 @ hotmail.com





_newyearwithlove.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com






_newyearcards2008.com
Administrative, Technical Contact
Contact Name: Bill Gudzon
Contact E-mail: bgudzon1956 @ hotmail.com









Moreover, Paul is also pointing out on the use of Blogspot blackhat SEO generated blogs in this Storm Worm campaign. In case you remember, the first one was relying on the infected user to first authenticate herself, and therefore authenticate for Storm Worm to add a link to a malware infected IP. Sample Blogspot URLs :

cbcemployee.blogspot.com
canasdelbohio.blogspot.com
1dailygrind.blogspot.com
traceofworld.blogspot.com/2007/12/opportunities-for-new-year.html
jariver.blogspot.com/2007/12/opportunities-for-new-year.html
antispamstore.blogspot.com/2007/12/opportunities-for-new-year.html

As for the complete list of the email subjects used for the time being, here's a rather complete one courtesy of US-CERT.

With end users getting warned about the insecurities of visiting an IP next to a domain name, this campaign is relying on descriptive domains compared to the previous one, while the use of IPs was among the few tactics that helped Storm Worm's first campaign scale so with every infected host acting as an infection vector by itself. And despite that I'm monitoring the use of such IPs from the first campaign in this campaign on a limited set of Storm Worm infected PCs, the next couple of days will shred more light into whether they'll start using the already infected hosts as infection vectors, or remain to the descriptive domains already used.

Keep riding on the storm.