Storm Worm Hosting Pharmaceutical Scams

With Storm's recent SQL injection and introduction of several new domains within, the very latest additions to their domain portfolio are the following domains (naturally in a fast-flux provided by already infected hosts) hosting pharmaceutical scams :

producemorning.com
pressrose.com
posestory.com
picturewest.com
lowsmell.com
catsharp.com
printlength.com

All of the domain's DNS entries are set to update every 2 minutes, meaning they every 2 minutes another 20 different and infected IPs will be hosting the domains, which on the other hand logically have identical WHOIS entry records :

Administrative Contact:
WenFeng NO.397,zhuquedadao street,xian
City,shanxi Province xi an Shanxi 710061 CN
tel: 298 5228188
fax: 298 5393585
yayun22@163.com

It's also worth pointing out how they emphasize on the benefits of SSL based transactions, when none of the sites is supporting SSL, but is doing something a great number of phishers do - they've changed the favicon to a key lock looking one, since maintaining a SSL infrastructure on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the visitor :

"SSL Encryption or Https is a technique used to safeguard private information which is sent via Internet. To prove the site's legitimacy, the SSL encryption uses a PKI (Public Key Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely transmit the information in the World Wide Web. In order to show that our transmission is encrypted, most browsers will display a small icon that would look like a pad "lock" or a key and the URL begins with "https" instead of "http". SSL Encryption or https from a digital certification authority will helps the secure web site with confidential information on web. "

With pharma masters increasingly using fast-flux to increase the survivability of their domains participating in affiliation based pharmaceutical affiliate programs, Storm Worm is anything but lacking behind programs that connect scammers and (infected) infrastructure providers.

Related posts:
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Comcast.net not Hacked, DNS Records Hijacked

Two days ago in a show off move, the Kryogenics team managed to change the DNS records of Comcast.net, and consequently, redirect traffic to third-party servers, which in this incident only served a defaced-looking like page, and denied email services to Comcast's millions of email users for a period of three hours.

The message they appear to have left at the first place, is actually hosted on third-party servers and reads :

"KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven"

Comcast's changed whois records looked like this, and were restored to their original state approximately three hours later :

Administrative Contact:
Domain Registrations,
Comcast kryogenicsdefiant@gmail.com
Defiant still raping 2k8 ebk 69 dick
tard lane dildo room
PHILADELPHIA, PA 19103
US 4206661870 fax: 6664200187

The hacked page was loading from the following locations :
freewebs.com/buttpussy69
freewebs.com/kryogeniks911
defiants.net/hacked.html

Comcast's comments :
"Last night users attempting to access Comcast.net were temporarily redirected to another site by an unauthorized person," he says. "While that issue has been resolved and customers have continued to have access to the Internet and email through services like Outlook, some customers are currently not able to access Comcast.net or Webmail." Douglas says that network engineers continue to work on the issue. "We believe that our registration information at the vendor that registers the Comcast.net domain address was altered, which redirected the site, and is the root cause of today's continued issues as well," he says. "We have alerted law enforcement authorities and are working in conjunction with them."

Network Solutions comments :
"Somebody was able to log into the account using the username and password. It was an unauthorized access," said spokeswoman Susan Wade. "It wasn't like somebody hacked into it. The Network Solutions account was not hacked. "They ping us and say this is my domain and say, 'I'd like to reset my password,'" Wade said. "It could have been compromised through e-mail. They could have gotten it if they acted as the customer. We're not clear."

"Pinging a domain registrar" has been around since the early days of the Internet, and it's obviously still possible to socially engineer one in 2008. A recently released ICANN advisory on the topic of registrar impersonation phishing attacks provides a decent overview of the threat, and in Comcast's case, I think someone impersonated Comcast in front of Network Solutions compared to the other way around, namely someone phished the person possessing the accounting data at Comcast, by making them think it's Network Solutions contacting them.

With Comcast.net now back to normal, the possibilities for abusing the redirected traffic given that the content was loading from web sites they controlled are pretty evident. And despite that there are speculations the hijack is courtesy of the BitTorrent supporters, in this case, the motivation behind this seem to have been to prove that it's possible.

UPDATE :
An interview with the hijackers including a screenshot of the control panel for over 200 Comcast operated domains is available.