Storm Worm Potpourri

< Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web | Real Network Visualization >

Storm Worm Potpourri

Storm Worm was quiet in the last few days, nothing really exiting happened at the honeypots infected with the bot. Many of the spam mails sent by the bot are stock spam messages which advertise a certain stock. An example of an attachment sent some time ago is Complaint.pdf which advertizes Score One Inc. (SREA.OB), a small company traded over the counter.

Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:

$ dig yxbegan.com



; <<>> DiG 9.4.1-P1 <<>> yxbegan.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59661

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 0



;; QUESTION SECTION:

;yxbegan.com.                   IN      A



;; ANSWER SECTION:

yxbegan.com.            0       IN      A       74.134.155.14



;; AUTHORITY SECTION:

yxbegan.com.            172800  IN      NS      ns13.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns2.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns3.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns4.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns5.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns6.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns7.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns8.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns9.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns10.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns11.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns12.yxbegan.com.



;; Query time: 4376 msec

;; SERVER: X.X.X.X#53(X.X.X.X)

;; WHEN: Thu Dec  6 08:59:53 2007

;; MSG SIZE  rcvd: 265

In consecutive lookups, always a new A record is returned:

yxbegan.com.            0       IN      A       69.224.113.183

yxbegan.com.            0       IN      A       123.215.78.167

yxbegan.com.            0       IN      A       168.188.56.76

yxbegan.com.            0       IN      A       220.129.76.210

yxbegan.com.            0       IN      A       59.23.185.81

More info to follow :)

This entry was posted by Thorsten Holz on Thursday, December 6. 2007 at 08:53. and is filed under honeynets, malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Nesh Vonk says:

#1 2007-12-06 10:27 (Reply)

My GMX-Account has been deleted. Was it a Worm? A Bot? A Hacker? All my Mails have gone- what can I do?

Thorsten Holz says:

#1.1 2007-12-06 10:30 (Reply)

Presumably not a worm or a bot, perhaps it was a cracker. Contact the support of GMX, they can advise you what to do next.

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Storm Worm Potpourri