Storm Worm Potpourri
Thursday, December 6. 2007
Storm Worm was quiet in the last few days, nothing really exiting happened at the honeypots infected with the bot. Many of the spam mails sent by the bot are stock spam messages which advertise a certain stock. An example of an attachment sent some time ago is Complaint.pdf which advertizes Score One Inc. (SREA.OB), a small company traded over the counter.
Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:
In consecutive lookups, always a new A record is returned:
More info to follow :)
Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:
$ dig yxbegan.com
; <<>> DiG 9.4.1-P1 <<>> yxbegan.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59661
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 0
;; QUESTION SECTION:
;yxbegan.com. IN A
;; ANSWER SECTION:
yxbegan.com. 0 IN A 74.134.155.14
;; AUTHORITY SECTION:
yxbegan.com. 172800 IN NS ns13.yxbegan.com.
yxbegan.com. 172800 IN NS ns2.yxbegan.com.
yxbegan.com. 172800 IN NS ns3.yxbegan.com.
yxbegan.com. 172800 IN NS ns4.yxbegan.com.
yxbegan.com. 172800 IN NS ns5.yxbegan.com.
yxbegan.com. 172800 IN NS ns6.yxbegan.com.
yxbegan.com. 172800 IN NS ns7.yxbegan.com.
yxbegan.com. 172800 IN NS ns8.yxbegan.com.
yxbegan.com. 172800 IN NS ns9.yxbegan.com.
yxbegan.com. 172800 IN NS ns10.yxbegan.com.
yxbegan.com. 172800 IN NS ns11.yxbegan.com.
yxbegan.com. 172800 IN NS ns12.yxbegan.com.
;; Query time: 4376 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Thu Dec 6 08:59:53 2007
;; MSG SIZE rcvd: 265
In consecutive lookups, always a new A record is returned:
yxbegan.com. 0 IN A 69.224.113.183
yxbegan.com. 0 IN A 123.215.78.167
yxbegan.com. 0 IN A 168.188.56.76
yxbegan.com. 0 IN A 220.129.76.210
yxbegan.com. 0 IN A 59.23.185.81
More info to follow :)
".
