Storm and 2008 - New Campaign
by Jose Nazario Hot on the heels of their quick Christmas campaign, the Storm Worm team is back with a New Year’s theme. This time they’re using two new domains (shown in order of appearance):
uhavepostcard.com
happycards2008.com
newyearcards2008.com
Emails look basically like you would expect them to:
Date: Thu, 27 Dec 2007 05:20:11 +0100
From: aaa1@prevencionfremap.es
To: jose@arbor.net
Subject: New Year Postcard
Happy New Year To You!
http://happycards2008.com/
Neither of the websites appeared to have exploit code linked to them, just the manual “Click here to download” ecard link. The filenames were “happy2008.exe”, “happy-2008.exe”, and now “happynewyear.exe”.
The “uhavepostcard” one drops files with semi random names. The sample I looked at dropped these two files:
C:\WINDOWS\system32\init_sys.config
C:\WINDOWS\system32\init_5504-3403.sys
This is the peerlist (formerly peers.ini) and the executable service module, respectively (it gets installed as a service).
The “happycards2008″ ones drop slightly more randomized names. I have seem pairs named:
C:\WINDOWS\system32\bldy.config
C:\WINDOWS\system32\bldy69e6-7447.sys
and also pairs of files named:
C:\WINDOWS\system32\clean.config
C:\WINDOWS\system32\clean6fb6-4718.sys
The pattern looks like a random 4-5 letter word, then four hex digits followed by a dash then four numbers, with the random word the same between the .config file and the .sys file.
Again, fast flux DNS (TTLs set to 0 seconds, lots of IPs being cycled in there, nameservers also fast fluxing in the network), open resolver, etc. I found the following IPs resolving to the newer domain, “happycards2008.com”, via a few minutes of running my Storm Walk tool:
68.41.128.81
74.75.193.213
98.201.54.7
200.162.235.188
203.223.220.24
65.35.110.50
121.136.152.130
189.29.79.55
12.206.195.216
68.52.93.226
74.73.33.69
24.181.97.40
68.80.244.129
68.127.51.120
75.24.24.249
190.45.9.231
68.93.120.181
116.14.162.113
84.23.121.242
69.242.187.97
209.30.251.217
24.166.67.244
65.26.43.23
74.130.106.75
201.250.164.104
70.242.145.120
68.253.178.215
76.103.150.254
66.8.183.125
24.30.181.28
210.113.50.93
24.33.240.239
68.251.176.59
58.65.84.17
124.244.198.114
76.122.60.56
69.224.114.33
200.115.208.39
125.129.126.115
69.154.183.237
68.90.162.136
207.255.204.126
68.58.33.188
12.227.173.1
69.138.252.207
24.99.36.75
12.215.234.127
200.43.176.146
75.131.200.201
86.105.231.81
208.104.94.226
74.70.149.166
125.34.37.164
24.68.70.32
58.9.31.86
65.71.237.177
68.95.50.91
65.42.90.193
218.152.103.107
222.97.131.74
70.225.91.241
86.205.184.197
67.181.90.28
71.192.249.188
190.25.223.79
76.103.226.108
75.6.228.50
71.103.33.65
99.141.197.104
68.49.242.155
76.194.64.40
77.41.76.15
210.24.78.49
67.68.200.46
76.111.121.139
76.220.237.100
68.79.7.249
212.122.122.218
79.172.90.173
68.158.65.192
99.253.1.2
78.37.7.118
74.130.62.217
89.20.145.218
This is a grossly underestimated list of hosts, but you get the idea.
Be safe this holiday season! Be wary of random e-cards from people you’ve never heard of, stay updated with AV, don’t run as administrator, etc …
Links around the net:
- A Stormy Christmas and a Botnet New Year by Gary Warner
- Happy2008.exe from F-Secure
- Happy New Years …. from the Storm Worm, from the SANS ISC.
- Bah, Storm from DISOG
UPDATE The filename is now JavaScript encoded and drops “happynewyear2008.exe” to start this process.
