Sunday, May 4, 2008

New Storm Moving In – Presumably for Mother’s Day

One of our researchers at UploadMalware.com has found indications of a new storm worm variant moving in.

At the time of this posting we have not had any reports of spam from the botnet using the 3 domains that were found in the research, but the files are definitely there and the domains are fast fluxing as per the normal method. We can only presume they are gearing up for a mother’s day storm campaign to raise their numbers.

The three domains we have found to this point are: (visit at your own risk)

stateandfed.cn, apartment-mall.cn and centerprop.cn

The file load.exe on execution copies itself to %windir%\libor.exe and drops the standard peers.ini as gogora.config. Libor.exe is then added to the run key in the registry to allow execution every reboot.

So not to add to the problem I personally only ran the exe with an internet connection for about 1 minute and it contacted ~1700 other infected boxes. Other research done by members of UploadMalware.com indicates approximately 100,000 or more which are still infected (number was taken by methods other than running the file).

This proves contrary to computerword.com’s article that Microsoft had killed the storm worm.

The article had already been strongly disputed by researchers.

Storm worm is alive and well, it may be smaller then when it first came onto the scene, but it seems when their numbers dwindle they come back with another holiday targeted mail campaign and boost the numbers back up. The storm group isn’t going anywhere as far as I can tell.

Jeremy over at sudosecure.net has posted some more info here.

No comments: