Fast Flux and New Domains for Storm

At last week’s FIRST conference in Vancouver I presented on some of our ATLAS fast flux data. The slides aren’t yet available, but the ongoing reports in ATLAS have been reflected to continuously update some of the analysis we did. Some of the new reports include the lifetimes for each network, and the “distinct networks” section, which identifies related domains through shared botnet membership. ATLAS users can also get the updated blocklist of fast flux domains for use in stopping such attacks.

Just in time, too, the Storm Worm has begun using new fast flux domains. Messages look like this:

> Date: Sun, 29 Jun 2008 00:56:18 +0700
> From: hp_ejer@levelton.com
> Subject: You make my world special

> My heart belongs to you ht tp:/ /latinlovesite.com/

Here’s a list of all of the domains we’ve identified so far.

theloveparade.com        NS     ns5.lollypopycandy.com
latinlovesite.com        NS     ns5.lollypopycandy.com
youronlinelove.com       NS     ns5.lollypopycandy.com
yourloveletter.com       NS     ns5.lollypopycandy.com
makinglovedirect.com     NS     ns5.lollypopycandy.com
lollypopycandy.com       NS     ns5.lollypopycandy.com

Storm has changed its tactics constantly in the past year and a half, and this “love theme” is nothing new. We’ll see how long this theme lasts.

UPDATE 1 July 2008

Here’s a full list of domains:

superlovelyric.com      NS      ns.verynicebank.com
bestlovelyric.com       NS      ns.verynicebank.com
makingloveworld.com     NS      ns.verynicebank.com
wholoveguide.com        NS      ns.verynicebank.com
gonelovelife.com        NS      ns.verynicebank.com
loveisknowlege.com      NS      ns.verynicebank.com
lovekingonline.com      NS      ns.verynicebank.com
lovemarkonline.com      NS      ns.verynicebank.com
makingadore.com NS      ns.verynicebank.com
greatadore.com  NS      ns.verynicebank.com
loveoursite.com NS      ns.verynicebank.com
musiconelove.com        NS      ns.verynicebank.com
knowholove.com  NS      ns.verynicebank.com
whoisknowlove.com       NS      ns.verynicebank.com
theplaylove.com NS      ns.verynicebank.com
wantcherish.com NS      ns.verynicebank.com
verynicebank.com        NS      ns.verynicebank.com
shelovehimtoo.com       NS      ns.verynicebank.com
makeloveforever.com     NS      ns.verynicebank.com
wholovedirect.com       NS      ns.verynicebank.com
grupogaleria.cn NS      ns.verynicebank.com
activeware.cn   NS      ns.verynicebank.com
nationwide2u.cn NS      ns.verynicebank.com

One Response to “Fast Flux and New Domains for Storm”

June 30, 2008 at 8:42 am, Sturm-Wurm Domains « Computer Security said:

[…] Der Sturm-Wurm hat wieder alle lieb! Die Sturm-Betreiber verwenden zur Zeit, laut TecChannel und Arbornetworks, folgende […]

Comments are closed.