Author Topic: Storm Worm Changed back to withlove!!!  (Read 3985 times)

0 Members and 1 Guest are viewing this topic.

April 04, 2008, 07:23:49 pm
Read 3985 times

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
Looks like the Storm Worm has changed again and this time the binary names are love.exe and withlove.exe.  Look out as VirusTotal results were 2/32 being able to identify this file as suspicious.  I have posted images, src code, and a peer list on my blog, so if your interested in a more detail take a look here: http://sudosecure.net 

--jeremy

April 05, 2008, 12:00:12 am
Reply #1

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
The original peer list I posted was erroneous as the script I wrote to parse the Storm Worm Config file contained an error.  I have since fixed this error and you can find the new peer list here: http://www.sudosecure.net/wp-content/uploads/2008/04/storm_peer_list1.txt

Sorry for any confusion I may have caused! ;)

April 06, 2008, 07:57:31 pm
Reply #2

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
With the changing of binaries came a new domain:  "superdrugtesting.com".  It is the same old fast flux network the Storm worm authors have been using for the last year with great success this time the registrar is TODAYNIC.COM in China.  This new domain name has also speed up my storm worm binary harvesting to one an hour once again, due to the fact I can grab active IPs instead of sorting through my archived IPs of 85,000 trying to find a host that is alive and well. 

I would strongly encourage you to set your spam filters, DNS backholes, and content filters to dropping this stuff.  As you can almost bet on seeing this in your Monday morning network traffic.