A couple of third-party reports on the Storm Worm (aka Peacomm, aka Nuwar, aka Tibs, aka Zheltin, aka CME-711). The first is a detailed binary analysis of the malcode involved in the Storm Worm from Frank Boldewin. This is one of the only such analysis made public that I have seen; everyone else has their privately kept.
It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.
From: Peacom – Cracking the nutshell [ZIP], by Frank Boldewin.
Second up is a great timeline of the Storm Worm lures, specifically the ones to lure you to the website and get infected via malicious HTML (it the setSlice() vuln). Unfortunately it does not cover the spammed EXEs that appeared in the Winter of 2007, it just covers the “e-card” and beyond timeframe. It also doesn’t cover any changes in the website HTML or exploits. Still, this is the first such compendium of this data I’ve seen shared publicly. I made a smaller one on a private list one night, but without so much data or detail.
A third point of interest, and the research focus for this blog, is the structure of the spam runs themselves. The accepted notion is that the runs are distinct from one another based on their subject matter. For example, we consider “NFL” spam to be one instance of the Storm attack, and “ArcadeWorld” another, but we cannot by that alone make an assertion regarding their specific rate of occurrence and precise ordering. Our goal is to confirm the ordered relationship between subjects, and to use the resulting distribution and frequency data to build a volume-based chronology.
From: Storm Worm Chronology on the Websense Security Lab blog.
UPDATE – Edited to list the author of the malcode analysis report.