In the last few weeks I have received several requests for information regarding the Storm Worm. So today I thought I would perform an analysis in my lab on the last Storm Binary (postcard.exe) I retrieved using my Storm Binary Tracking scripts dated “2008-09-18 18:42:28″ just to see if I could possibly find the answers to some of the questions many of you have asked. To be perfectly honest and clear I have not seen any spam, DDOS attacks, or Fast Flux domain activity related to the Storm Worm since mid September, so I too am curious as to what has happened to this menace.
During execution of the postcard.exe binary a binary named neos.exe was installed into the “%WINDIR%” accompanied by it’s normal p2p peer configuration file named crock+mock.config. Immediately following the installation of this new binary the neos.exe process was started, and I was greeted by the normal Storm Worm network traffic to include the p2p udp traffic. This p2p udp traffic demonstrates how resilient the Storm Worm Trojan really is in that I haven’t seen a new binary in almost a month and yet I was communicating with a few hundred Storm Worm infected hosts. Being curious to how many peers were listed in the crock+mock.config file I ran my perl decode script used to extract peers from the configuration file which extracted a total of 848 IPs. The entire peer list can be seen here: peers.txt. I also submitted the IPs to the whois.cymru.com server to get ASN and country data which can be seen here: peers_asn.txt. As you can see from the peer files almost half of the hosts reside in the US, 348 to be exact, and that most of the hosts reside on large residential ISP network segments. So far these stats line right up with everything we have seen associated with the Storm Worm characteristics in the past, which to me is odd since there hasn’t been a new Storm Worm campaign in over a month.
Since it was more of the same for the Storm Worm network configuration statistics I thought I would also check my Storm p2p decryption script to see if the Overnet protocol was still being encrypted with the same xor key. Sure enough my script decoded the udp p2p traffic and nothing was new here either as I still saw the same old Overnet/eDonkey commands being issued such as Publicize, Publicize ACK, Connect, Connect Reply, IP Query, IP Query Answer, Identify, Identify Reply, Search Info, and Search End. Since the crock+mock.config script provided me with 848 IPs of peers I decided to see just how many Overnet peers I was actually communicating with during my lab run. Here is a list of all 1,441 peers that sent me some type of Overnet traffic: overnet_peers.txt and here is the results of my bulk submission to the cymru.com whois server: overnet_peers_asn.txt. As you can see the US lead the way once again with 353 infected hosts, and RU trailing right behind with 114 infected hosts.
The next thing I noticed in the network traffic was DNS queries for the domain name policy-studies.cn, which is where an old root kit was stored in a past campaign. This domain name has long been shut down, so I decided to run a faux DNS server script to give my infected lab machine an A record to see what would happen. After reconfiguring my infected host to perform DNS lookups using my faux DNS server the neos.exe process started requesting a file named getbackup.php. The getbackup.php file was the same rootkit file request seen over a month ago, so I assume this DNS request and file retrieval is hard coded in the neos.exe binary and is not something that was passed to it in a parameter via the Storm p2p network or the TCP control network.
Taking a look at the TCP traffic is where things really got interesting. Several of the TCP servers were answering my requests with the following reply: “Go away, we’re not home”. This to me was just plain hilarious and demonstrated to me even in an inactive period for the Storm Worm the authors have one hell of a sense of humor. Here is a list of all the Storm TCP servers that responded with this intriguing message: goaway_ip.txt and it’s corresponding bulk result from the cymru.com whois data: goaway_ip_asn.txt. Interesting enough all 18 of these servers were located in two countries the US and Mexico. I am not sure how relevant or important this is or if it was just a coincidence. Not all of the TCP servers communicating with my lab box provided this message. The servers that did not reply with this message simply sent reset packets and stopped the TCP handshake, so these could be patched boxes or cleaned boxes leading me to believe my TCP requests were based off old data residing in the Storm Network and/or Binary. In an attempt to perform fair analysis here is the list of 50 servers that did not respond with the “Go away” message: tcp_storm_noaway.txt and it’s corresponding cymru.com whois data: tcp_storm_noaway_asn.txt. These servers are definitely more geographically dispersed over a wide range of countries and ASNs.
So what does all this mean for the Storm Worm? Well, I am not really sure and can only make guesses as to why we haven’t seen another Storm campaign recently. My first guess would be that with all the recent data being published on the Storm Worm encryption mechanisms and it’s Double Fast Flux architecture, especially the Black Hat presentation by Joe Stewart in Vegas which may I say was very insightful, that the Storm Authors are making some major changes and have put everything else on hold until these changes can be rolled out into production. My second guess would be the heat from law enforcement sent them into hiding or laying low for a while. This second guess could also be combined with the first guess and the authors could be reworking their architecture to get the heat off of them. My final guess would be the Authors of the Storm Worm made enough money off the surge of campaigns we saw at the beginning of the summer that they really are not home and are off taking a vacation. Most likely enjoying the spending of all that cold hard cash they earned off the Canadian Pharmaceutical spam, Penny Stock manipulation, and phishing scams we grew so accustomed to seeing. My final conclusion is that the Storm Worm is currently dead/inactive, but I would not be surprised at all if we saw a new and improved Storm Worm in the coming months. I think the question isn’t is Storm dead, but more like when will we see it return and what new features or tactics will it have in store for us.
As always if you have any questions or comments feel free to contact me or leave a comment, as they are always welcome and appreciated.