Looks like my hunches yesterday about the Storm Worm authors being up to something was right on target. One of the researches over at UploadMalware.com discovered the Storm Worm authors spawned a new variant yesterday. This new campaign is solely based off of iframe injections, so far. Maybe in the coming days or hours this will change and we will see some type of enticing download campaign we have grown so fawned off. I would not rule it out as the Storm Worm authors have used the social engineering factor very successfully for over a year now, and I don’t see that going away anytime soon.
The new binary drops itself into the Windows directory (%windir%) during installation and is titled: “libor.exe” along with it’s new peer file titled: “gogora.config”. Just for the heck of it here is a list of the 903 peers I extracted from the config file: peers.
The three currently active domain names are “stateandfed.cn, apartment-mall.cn and centerprop.cn” and it would be advisable to anyone with DNS blackholing or content filtering devices to put them in your configurations now. I am sure we will see a lot more of this via SPAM with links to new blogspot web pages with the iframe redirections embedded in them on Monday morning.
Also as a side note with the authors changing the web page I am having issues with my Storm Binary tracker. I should have them worked out shortly and the database will get updated as soon as I do. If you have any questions or comments feel free to shoot them my way.