The Storm Worm Malware Back in the Game

After coming across the story on how Storm Worm is taking over the world for yet another time, I wondered – who are the novice malware authors behind Storm Worm that switch tactics by the time their old ones become inefficient? After commenting on the first Storm Worm wave — it’s not even a worm — with an emphasis of the outdate social engineering techniques it was using back in January, 2007, it’s time we assess the current situation and how have Storm Worm evolved. What has changed? Direct .exe email attachments matured into a direct link to an infected IP address. Mass mailings are now sent with campaign ID to measure efficiency. Outdated social engineering tactics became a direct exploitation of old and already patched vulnerabilities to ensure a higher probability of infecting the visitor whose lack of understanding on how client side vulnerabilities should get a higher priority compared to visual .exe vigilance often result in an infection. Here’s a sample infected IP spreading Storm Worm binaries :

Message content : “Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download
Original URL : /?232c3a9ebeed435601e5ee71
Binary URL : .exe
Server response : HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Thu, 09 Aug 2007 00:12:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.1

Email spoofed from : “” jyg @
Mail server :,
IP blacklisted by : SpamCop, CASA-CBL, UCEPROTECTL1, PSBL
Sender’s IP :
IP blacklisted by : Spamhaus PBL, NJABL Dynablock

Detection rate : 17 AVs out of 32 detect it (53.13%)
File size: 113195 bytes
MD5: 63fe9896fbbca6471ec216c9dee0b0e9
SHA1: 170eb66ca28f74d291e07a0383564b465d373f06

file.exe – downloader
Detection Rate: 17 AVs out of 32 detect it (53.13%)
File size: 4608 bytes
MD5: 7ea2baadfe3a8a54635cea72526ff391
SHA1: ae32bb7df491fb52650144931c10a7bd5ebf6a2c

Detection Rate : 17 AVs out of 32 detect it (53.13%)
File size: 113168 bytes
MD5: 4ac8a3242e945215469ec08bc5603418
SHA1: 75b8aadab3626e39b570d7e7494d3be63cc582d1

At every infected IP acting as a web server, we have a typical MPack style XOR-ifying javascript obfuscation. And while it’s not that hard to deobfuscate it, the interesting part is the type of vulnerabilities exploited to obtain the downloader and the payload. The current campaign is a good example of a fast-flux network as the malware authors used one mail server to sent the email, another IP as actual sender, and a third one where the payload, the downloader are hosted with the web page itself using the Q4-06 Roll-up package exploits kit :

This is a set of exploit scripts mostly from the end of 2006. It includes an MS06-042, a SetSlice, an MDAC, a WinZip, and a QuickTime. It is typically encrypted using a wide variety of javascript obfuscators, but is usually about the same source code underneath. Recently it sometimes includes an ANI exploit from April 2007.

As we have already seen with the most recent and wide scale malware campaigns, such as with the IcePack’s and MPack’s kits, the malware authors are entirely relying on patched vulnerabilities compared to purchasing zero day ones, further fueling the superficial zero day vulnerabilities cash bubble, and proving that using old vulnerabilities is just as effective as using a zero day one – they are both unpatched at the end user’s PC. Ensure attacks using outdated vulnerabilities cannot take place by patching, and don’t forget that Storm Worm is among the many other malware and spam oubtreaks currently active in the wild.

Related posts:
Malware Embedded Sites Increasing
Massive Embedded Web Attack in Italy
The MPack Attack Kit on Video
The WebAttacker in Action
The IcePack Malware Kit in Action
The Underground Economy’s Supply of Goods

More info:
Malware – Future Trends
New wave of nuwars storming in
Storm Worm Continues to Spread
The Storm Worm
Storm Worm growth is getting out of hand, researchers fear
Storm Trojan Worm evolves and creates Havoc on the Internet, warns SecureWorks
Storm Worm’s Virulence May Mean Tactics Change
Storm Worm Hype Batters Media

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *