New storm worm page Funny Post Card

[Edgar Bangkok]

Now storm worm page change layout and show Funny Post Card link.
Malware is  e-card.exe and ecard.exe.

One IP storm worm page   75.132.160.97

Edgar from Bangkok 

http://edetools.blogspot.com/2008/03/nuova-pagina-storm-worm.html

[JohnC]

Thank you.

[bobby]

24.65.77.254
97.82.191.162
86.158.6.203
72.8.101.213

[cjeremy]

There are actually 3 binaries being hosted from the new storm web sites:  ecard.exe, e-card.exe and postcard.exe. 
ecard.exe is an automatic download via a meta tag
e-card.exe is a download via the "click here" hyperlink
postcard.exe is a download via the clickable image link

I have been tracking the storm worm for a while now and just recently started a blog/website with a database to track the binaries (nothing fancy).  I have a few scripts that run on some old computers that track the storm worm ips and also retrieve a sample binary every hour.  I have just over 65,000 unique IPs indexed and just under 1,4000 binaries indexed.  I have only made the binary information available to the public, so far and you can find it here if your interested: http://sudosecure.net/storm.php.  If you would like a copy of the 65,000 unique IPs just shoot me an email at jeremy[/at/]sudosecure[/dot/]net.  Also all of the binaries listed in the database I have as of right now.  I am sure I will need to do something with them soon as the old computer this is running on only has a 4GB drive and is about 50% utilized, but if you would like a copy of one of the binaries for some reason just shoot me an email.  Nothing fancy to these Perl scripts and once I clean up them up I will probably make them publicly available as well... 

Oh yea and since this is my first post to the forum may I say I really appreciate what you all are doing by making the malwaredomainlist publicly searchable/available.  I have you found myself using it daily now to verify IDS alerts against your database.  Great JOB! 

[sowhat-x]

Welcome on board,cjeremy 

Too much stuff there... 
that I really don't know where to start from,he-he...
Quite a few questions,just hope I'm not much intrusive... 

1)Any further plans,ie.do you plan on updating regularly the "Storm Binary Tracker"?
And also,all these storm .exes there...
have you thought of submitting them either to AV companies,
so that they can improve there heuristics/whatever...
or say uploading them over at Offensive Computing,
and thereby making them available to public as well?

2)Regarding ip addresses,JohnC will answer on how he's gonna handle this in specific...
as he is the one who makes all the tedious work of sorting/removing links from the database. 
In the past,there existed a simple text in the main MDL's page,
that contained lots of storm addresses,as time passed though and info there got obsolete,
it got removed...maybe something similar could be arranged...

2)These samples,can they somehow be 'fingerprinted',depending on entry point signature?
Do they make use of a different scrambling/packing method,
and thereby need to be 'breaked down' in groups in order to do so?
I'd certainly be more than glad if you could provide/share with the public this kind of info... 

[JohnC]

Reporting those IP addresses to the hosting companies would be good. Of course it may take a while manually, so someone would need to write a little script to do the work. Hopefully it could see a large amount of storm infected machines cleaned.

[cjeremy]

No worries with questions....  as I am just glad you didn't see my post as some sort of advertisement that got me flamed....


1)Any further plans,ie.do you plan on updating regularly the "Storm Binary Tracker"?

Yes I do have plans to add some functionality to the storm binary tracker, such as a search feature...  I just stood it up over the last week, so it took me time just to get the site up and running.  I do have my remote computer downloading these binaries feeding the database hourly, so the data should not go stale.

I have tried feeding some of this to different AV companies but really haven't had that much luck in doing this.  If you have suggestions on how to make this successful I am all ears.  I am also a member of Offensive Computing, so I was thinking of emailing them to see if I could feed them these in a more automated fashion, if they were interested, as submitting them manually would be a nightmare. 


2)These samples,can they somehow be 'fingerprinted',depending on entry point signature?
Do they make use of a different scrambling/packing method,
and thereby need to be 'breaked down' in groups in order to do so?
I'd certainly be more than glad if you could provide/share with the public this kind of info...

I haven't really done allot in running mass comparisons against them and your right that would be interesting info to publish.  If someone would like to help in doing this I would be up for the challenge... 

Reporting those IP addresses to the hosting companies would be good.

I agree, I could possible come up with a  script to do this, but what I have noticed is many of the storm hosts are not on hosted web sites but individual's computers.  Some are dial up accounts, so I would have to report these to the ISPs and that would be more complicated, I think.  I haven't found a pattern in how a computer is chosen to become a storm binary hosting server.  I know their are some exploit bots running around looking at FTP servers that will load the binary to your FTP server, as I have seen that on my nepenthes honeypot, but other than that I don't know how a computer is chosen as a web server to host the binaries. 

[sowhat-x]

...as I am just glad you didn't see my post as some sort of advertisement that got me flamed.... 

He-he,nah...not even crossed though my mind...
anything not referring directly to private/'closed' communities is certainly welcomed,
or else,what would be the point in the first place...

I have tried feeding some of this to different AV companies but really haven't had that much luck in doing this.

This raises quite a bit of a discussion,as it seems to be a quite common problem,
when it comes to large malware collections...my best bet to avoid mailing them one-by-one,
would be to zip them and upload them to Rapidshare or so,then make a post at Offensive Computing...
At least that's what I've also done in the past a couple of times with quite a bit of success...

I haven't really done allot in running mass comparisons against them,
and your right that would be interesting info to publish.

It would certainly take quite a bit of time 'in order to 'break' them down in groups,
as I really don't know any ready-made tool that could do it in a completely automatic way,
manual intervention is certainly needed...
Then again,maybe some script based on pefile could do this...
http://code.google.com/p/pefile/
If you decide to post them in public,personally,
I wouldn't also have a problem doing it under a semi-manually way,he-he...
quite a bit of patience when it comes to that kind of stuff... 

[cjeremy]

my best bet to avoid mailing them one-by-one,
would be to zip them and upload them to Rapidshare or so,then make a post at Offensive Computing...

I sent an email over to the Offensive Computing admins to see if they had any suggestions, but if I don't hear back from them in good time I will take your suggest and try posting to rapidshare.

Then again,maybe some script based on pefile could do this...
http://code.google.com/p/pefile/
If you decide to post them in public,personally,
I wouldn't also have a problem doing it under a semi-manually way

That is a good idea.  I am fairly new at the reverse engineering practice, so it takes me probably twice as long as most to just break one binary... So if I did it manually it may be 10 years before we have any results    If you want to define some groupings, procedures, and share some of the workload I would gladly do that as you sound way more versed in this art than I am.  Your thoughts?

Also I added a search by IP to aid in finding a specific IP this afternoon after our short discussion. 

[sowhat-x]

He-he,in 10 years from now...these guys will be serving their duty in some russian prison... 
Would it be much of a trouble to upload a small subset of them in Rapidshare or similar,
say 50-60 binaries or so,in order to see what can be done?

That is if they give any useful results of course,I know back in summer they did,
and JohnC had fingerprinted with relative ease a specific 'generation' of them...
Have a look here,sig can be trimmed though,just to be in the 'safe side'...
http://www.malwaredomainlist.com/forums/index.php?topic=120.0

I see 4 different names there...
'postcard.exe','valentine.exe','with_love.exe' and 'happy_2008.exe':
thereby,I'll try at first making groups by their original name,
say by checking 15-20 unique 'valentines',then the 'postcards',and so on...

[cjeremy]

Sure I can.  I have grabbed the last 60 downloaded and placed them in a tarball which can be downloaded from here: http://rapidshare.com/files/98098774/storm_binaries.tar.gz.html

If you need a larger sample or a different variety just let me know.  There is no password on the archive file, so be careful with it  

[sowhat-x]

Code: [Select]

[VX.Zhelatin variant]
signature = 55 A1 88 ?? ?? ?? BA FF 7F 00 00 0F AF 05 78 ?? ?? ?? 89 D1 31 D2 89 E5 5D 03 05 68 ?? ?? ?? F7 F1 89 D0 89 15 88 ?? ?? ?? C3 55 89 E5 57 31 FF 56 53 31 DB 8B 45 08 88 D9 8B 55 0C D3 E8 89 C6 D3 EA 83 E6 01 0F 94 C1 83 E2 01 0F 94 C0 09 C8 A8 01 74 0F 09 D6 74 0B B8 01 00 00 00 88 D9 D3 E0 09 C7 43 83 FB 20 72 CB 5B 89 F8 5E 5F 5D C3 55 89 E5 57 8B 7D 08 56 8B 75 0C 53 31 DB FF 75 18 FF 75 14 FF 75 10 E8 57 FF FF FF 83 C4 0C 39 F3 73 ?? E8 68 FF FF FF
ep_only = false
This crap is compiled with gcc...therefore,external scanning must be explicity specified in PEiD.
Sig catches all postcards/valentines in the archive posted above,
and I believe it should also 'catch' problem free most of the samples you 've got there...
If you come across postcards/valentines in your honeypot there,
that aren't detected with the above,obviously,it will be my pleasure.... 
But well,don't take it that much seriously...
a reliable detection method can only be done via function,
pretty much as AV products do,this is just a quick'n'dirty way for the fun of it...

...there was also one sample among them that PEiD didn't like,he-he...
it got reported as "not a valid PE" under v0.94.
Under internal beta it was recognized properly,
but it's import table couldn't be listed...time for more bugfixes.
Thanks cjeremy 

In a final side-note,the "with love" crap does some extra tricks around,
in order to avoid unpacking/detection and such...
I'll have a look at it at some future moment,it deserves a more thorough view...

[cjeremy]

Outstanding job "sowhat-x", I ran your signature on all of the postcard.exe, and valentine.exe binaries and it successfully identified each one of them.  Thanks so much for doing that, as I actually learned somethings from this...  I never really used PEid until now, so that should tell you how fresh I am at reverse engineering this stuff, thanks again as I have now seen the power of a great tool.  I was also experimenting with the plugin EPscan, but it didn't generate the EP signature as well as you did it manually (I assume you did it manually).  Maybe it is my inexperience at using the plugin, but atleast I feel good about learning something new. 

Oh and on a side note I am still going to look into pefile and peutils to see if I can't script the generation of the EP signature, so that I can add it to my storm binary tracker database, as I think it would be a great addition to the information I already track.  And it would be cool to see it change when the worm morphs again....

You guys are awesome, keep up the good work!

[JohnC]

Anybody expecting an Easter Ecard Storm Spam sometime in the next couple of weeks? Probably a funny bunny, or cute rabbit thing.

[sowhat-x]

Probably a funny bunny, or cute rabbit thing.

cjeremy,for EPScan to work,unless all exes in the same folder share a common ep true sig,
you get tons of ?? wildcards...ie.then you have to move out of the folder exes one by one,
in order to spot which one is causing the 'trouble'...
To make the sig above,I used two semi-automated tools,
along with PEiD's disassembler and Vim (yeah,Vim...who said Emacs,he-he...),
in order to copy/paste and diff data when needed...
One of the tools I've used hasn't been released to public yet,
as there are still a few stuff yet to be resolved...
the other one I'll put as an attachment later when I get home...

Lots of ep_false sigs though I've done only with PEiD's disasm and diffing...
Making sigs is certainly not an 'art',ie.no need to be a reversing guru or so:
it just has quite a lot of 'gotchas' to be taken into consideration,
both in order to avoid possible collisions,and furthermore,
to avoid ending up with semi-working sigs that miss samples...
Ie.in it's most simplest form...
say if an ep true sig was made for the 'zhelatins' above (by using EPScan or similar...),
then the sig would also catch lots of innocent common gcc-based exes as well...
Although it will certainly be a quite rare case...
even the ep false I made has a somewhat slight chance of doing so,
that's why I mentioned 'quick 'n' dirty' way - 100% reliable detection only by function...

Exactly because of all the above,
I've never managed to make a detailed tutorial regarding sig generation,
and it's something which I've always considered it's needed for people... 
As I would have to present way too many different packers and 'tricks of the trade',
in order to show how it can be done properly...
the more you mess around with packers,the more you acknowledge them...
This also explains the lack of automated tools out there,
ie.even with the most perfect one,human examination will still be needed...