< Annoying Botnets | OECD Report on Malware >

Storm Worm Dead?

The Internet Storm Center had today a story about a "New Stormworm download site". The Storm Worm botnet is thus still live and propagating. However, the size of the botnet is decreasing significantly: Currently, only about 8.2K hosts are online within the network (based on measurement results with the crawler presented in the LEET'08 paper). Compared to the size a few months ago (40K in January, even more a few months earlier), this is a strong decrease. Will the botnet thus become obsolete in the near future?

The CWSandbox analysis of the Storm Worm sample loveyou.exe (MD5: 0679c17b9072d378cb0a39272fed98f5) shows the typical signs of a Storm sample: It first drops a file called C:\WINDOWS\farkrish.exe and also the typical peer-list:

H:\WINDOWS\farkrish.config [peers] 000011213D362D29747E07640874096F = C933DDCB2E6E00
H:\WINDOWS\farkrish.config [peers] 01006C75C1523825A27A642FD05F6859 = BDA2AF3A4A3600
H:\WINDOWS\farkrish.config [peers] 02003727703C8435FA41B70F977E6055 = 53C8003932CD00
H:\WINDOWS\farkrish.config [peers] 0300B623D3499048CC4BB30B5857C959 = C86E5D666A2C00
H:\WINDOWS\farkrish.config [peers] 04000A4C7B4BBC41AE5B6B486A00F613 = 7B11B24647B600
H:\WINDOWS\farkrish.config [peers] 05002744C35A572A932662411A117715 = 7B150612413A00
H:\WINDOWS\farkrish.config [peers] 06000772D412A4727D1B415B7A73F450 = 183C4148226F00
H:\WINDOWS\farkrish.config [peers] 07000600822E65796C39356C6E3C750E = 7B12A2E745FA00
H:\WINDOWS\farkrish.config [peers] 0800F81A9A4D644D6566FC73591C0B5F = C925ECC4375C00
H:\WINDOWS\farkrish.config [peers] 090007168A1C884C2D60D12FD900D86E = 7D19C551116E00
H:\WINDOWS\farkrish.config [peers] 0A00C95E9909F25F7844635C9D0FAD62 = BDA663FA77E400
H:\WINDOWS\farkrish.config [peers] 0B00364A9F3CC648DC1EE87E0E022E70 = 53CB22366F8D00
H:\WINDOWS\farkrish.config [peers] 0C00C65A0A69484DDF47D724A81F3B52 = A007E95F321F00
H:\WINDOWS\farkrish.config [peers] 0D00DE0895137F5AC2376814D6415F4D = 40FEB3F7645700
H:\WINDOWS\farkrish.config [peers] 0E007A157B4A305BD352D1039829B24C = 43954E9F0F4D00
H:\WINDOWS\farkrish.config [peers] 0F00042A5F72C81BD16DDB4B7A38DD14 = 3EFBBF4273AC00
H:\WINDOWS\farkrish.config [peers] 1000A535661B0414FA6556507D75880A = CBDA9AA318CD00
H:\WINDOWS\farkrish.config [peers] 1100556AD128A56385603C71BF3A3476 = 4421178C717600
H:\WINDOWS\farkrish.config [peers] 12000A1B5609B740B609833F2C11B212 = C93AE62B6AFA00
H:\WINDOWS\farkrish.config [peers] 1300907BD345E730C048E311A3705B21 = 539C8C79473500
H:\WINDOWS\farkrish.config [peers] 1400FA75B31AF97F4564B80F49060C72 = 477196302BC400
H:\WINDOWS\farkrish.config [peers] 1500D1510455D5005746601F4E4A584F = BD9C1C33213F00
[...]

Besides this, farkrish.exe is allowed to access the network and the infected machines syncs the time via NTP. The content of the UDP packets that are sent out have the same structure as always:
0000     10 a6 e6 22 f9 ca cc b0 2d a2 8c c7 de 57 ba 53

0010     5e c5 e5 a6 17 02 48 31 46
Thus it seems that there are no major changes in this new update release.
This entry was posted by Thorsten Holz on Tuesday, June 3. 2008 at 11:59. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.