Tuesday, August 21, 2007

Offensive Storm Worm Obfuscation

Malware authors, often pissed off at the detection rates of their malware releases, tend to include offensive comments or messages within the malware's code against anti virus vendors. At this Storm Worm URL we see offensive function within the obfuscated exploit aiming at Kaspersky.

The recent Storm Worm campaign may indeed look like a huge security threat given the millions of emails sent, however, I feel more awareness should be built on the fact that the malware has slightly adapted, and is using browser based vulnerabilities (client side one) to automatically push the binary onto the host, compared to the urban legend of not openning email attachments from unknown parties. The current Storm Worm's main benefit in terms of efficiency is the client side exploited vulnerabilities within each and every malicious IP, and the main weakness is the pattern based nature of the binaries hosted at the IPs such as maliciousIP/file.php and maliciousIP/ecard.exe, thefore periodically verifying the checksums of the still active Storm Worm IPs results in new malware variants. Or starting from the basic premise that prevention is better than the cure, Bleedingthreats have already released IDS signatures for the Storm Worm :

"This first list has over 800 servers that are confirmed hostile, and were active in the last 24 hours. http://www.bleedingthreats.net/rules/bleeding-storm.rules
And a version prebuilt with a 30 day Snortsam block:
We’ll be collating Storm related links and data sources on the following page which is referenced in these sigs:

Let's assess yet another Storm Worm infected PC and reveal yet another campaign called BYDLOSHKA :

01. is using the Q4-06 Roll-up package exploits kit like all Storm Worm URLs

02. The downloader makes a DNS query to fncarp.com ( where we have a second offensive obfuscation and the BODLOSHKA campaign under the following URLs : snlilac.com/ind.php ( ; eqcorn.com/ind.php ( ; fncarp.com/ind.php The downloaders here obtain the actual binaries from a third party ( creating a fast-flux network.

03. What's interesting and rather disturbing is a proof that phishers, spammers and malware authors indeed work together, as Storm Worm is also comming in the form of phishing emails where the main objective isn't to steal confidential accounting data, but to only infect the users visiting the site (

All this leads me to the conclusion that the campaign may in fact be a Russian operation.

Related posts:
Oh boy, more Nuwar tricks!
New Storm Front Moving In
Zhelatin/Storm changes yet again