In the last 24 to 48 hours I have seen a tremendous slow down in the number of Storm Worm web server IPs being rotated through the Fast Flux network. I usually average about 8,000 to 10,000 unique IPs a day using some custom scripts to query the Storm Worm DNS servers, but for the last 24 hours I have only seen 223 unique IPs. I am not sure why this has occurred, and it may just be a hiccup that has unintentionally occurred. Although in the past when I have identified hiccups in the Storm network it has always been on the eve of a change. This may very well be indicator change is on the horizon, since this is Memorial Day weekend here in the United States. Here is a list of the 223 Storm Web Serving IPs I have seen in the last 24 hours: Storm Web Server Unique IPs.
Since I saw this tremendous reduction in Storm Web Servers I figured I would check to see if there was any reductions in the number of peers currently stored in the herjek.config file. Although this is not a good overall indicator of how many bots are in the Storm Worm network, I still thought I would check. I did not see any obvious reductions with 850 IPs being maintained in my sandnet run for a little over an hour. Here is a list of the peers from this run: Storm Peer List.
I have just recently started looking deeper into the Spam sent out by the Storm Worm and I have identified a few interesting characteristics. I captured a total of 2,524 Spam messages during the same one hour sandnet run I mentioned earlier in this posting. Out of the 2,524 Spam messages there were exactly 853 unique Subject lines all pertaining to pharmaceuticals, mostly focused on male enhancements and Viagra. Here is a file with all of the unique subject lines I saw: Storm SMTP Subject Lines. Another interesting observation is out of all these Spam Messages there were only 9 different domain names being advertised within the spam messages. These domain names were:
All of which resolved to IP address 18.104.22.168, which seems to be a Canadian Pharmacy website advertised as the #1 online drug store. In their FAQ’s they claim that all physicians are US licensed using only board certified physicians and U.S licensed pharmacies. They also state all of their products are manufactured and shipped from India and approved by INDIAN FDA for export. I got a real laugh when I saw this Canadian Pharmaceutical company actually advertising an Anti-Spam policy. Here are a few direct quotes from this policy:
Canadian Pharmacy supports ONLY permission-based email management practices. In this regard, Canadian Pharmacy has implemented various policies and procedures that:
- Help prevent Canadian Pharmacy from being used for the purpose of unsolicited email campaigns.
- Encourage permission-based marketing.
- Respond to all complaints suggesting Canadian Pharmacy has been used as a vehicle to send unsolicited email.
You may not use the Canadian Pharmacy or the products or services provided through or in connection with the Canadian Pharmacy to: a. send unsolicited bulk email, for commercial or non-commercial purposes. Unsolicited bulk email is defined as email sent to more than 10 individuals without their permission.”
Canadian Pharmacy takes permission marketing very seriously. Thank you for reviewing our Anti-Spam Policy.
Use of Your Email Information
Canadian Pharmacy is not an email list rental service and does not rent or sell any email addresses or other contact information that you provide.
E-mail and Direct Response Contact
All of our direct response methods are opt-in. If you subscribed to our e-mail newsletter(s) but do not want to receive it in the future, please follow the “unsubscribe” instructions contained in the newsletter(s)
Well that is odd, as I seemed to have just parsed through a few thousand Spam messages generated from the Storm Bot that all pointed to them. I guess policies like these help them seem like a more legit website/company that is actively taking action against unsolicited spam. Just to see what would happen I went ahead and posted a message in their contact us form. I guess they don’t appreciative spam either, as they are employing captcha to limit the comment spam bots. They also publish the following email address as their customer support email address: [email protected]. To bad there are no MX or A records being advertised for this domain, so emails will definitely have a difficult time getting to them.
Using passive DNS discovery techniques I was able to identify a few more IP addresses and Domain Names associated with this devious pharmaceutical supplier:
methodproduce.com A 22.214.171.124
pressrose.com A 126.96.36.199
followequate.com A 188.8.131.52
producemorning.com A 184.108.40.206
printlength.com A 220.127.116.11
lowsmell.com A 18.104.22.168
ns3.adverdomain.com A 22.214.171.124
catsharp.com A 126.96.36.199
gladcoat.com A 188.8.131.52
wyd.gladcoat.com A 184.108.40.206
picturewest.com A 220.127.116.11
industrydictionary.com A 18.104.22.168
posestory.com A 22.214.171.124
viagrabest.info A 126.96.36.199
www.viagrabest.info CNAME viagrabest.info
catsharp.com A 188.8.131.52
catsharp.com A 184.108.40.206
catsharp.com A 220.127.116.11
catsharp.com A 18.104.22.168
catsharp.com NS ns2.xinnet.cn
catsharp.com NS ns.xinnet.cn
catsharp.com NS ns1.qw22.com
catsharp.com NS ns2.qw22.com
catsharp.com NS ns3.qw22.com
catsharp.com NS ns4.qw22.com
catsharp.com NS ns2.xinnetdns.com
catsharp.com NS ns.xinnetdns.com
Looks like they have been doing this for sometime now based off all of the IPs and Domain Names listed in the queries. I also noticed that all off these IPs seem to be using Virtual Host configurations, as visiting these sites strictly by IP will get you interesting messages like “It works!” and squid proxy messages. All of these sites are severed by Ngnix web servers. Ngnix web servers seem to be a popular choice for phishing sites, malware serving sites, and now pharmaceutical sites. I should also note the Storm Worm binary serving web servers use this same web server. I won’t bore you with whois query results, but I did find it interesting “Wen Fang” seems to be the registrant for all of the domain names being used, along with a few hundred other domain names.
As always if you have any questions or comments regarding this information feel free to contact me anytime and have a nice Memorial Day Weekend!