Tuesday, August 28, 2007

Storm takes one step back, six steps forward

I was getting bummed since I hadn't seen any Storm worm infection letters since yesterday around 3pm, but Storm worm loves me and would never leave me hanging. This just came in.

Subject: Helps us out and let us say thanks
Body: We are looking for Consumer opinions of our new software Home Reno Planner

This beta testing will enable us to fine tune the software for public release. A free copy of the program plus free updates will be yours for helping out.

Download the software, See What you think, and Email us your thoughts. If you would like to help us with this no obligation Beta test, follow this link to our secure download server: http://xx.183.196.147/setup.exe

Where is the obfuscated link to the IP? I was surprised to see the raw IP listed along with a link directly to an EXE. It is definitely Storm worm hosting the malware. A quick download and check of the server header shows:

HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Tue, 28 Aug 2007 14:59:22 GMT
Content-Type: application/octet-stream
Content-Length: 140367
Connection: close
Accept-Ranges: bytes

Bringing up http://xx.183.196.147/ without the "setup.exe" shows it is also doubling as a StormTube host complete with obfuscated Javascript that contains a shotgun approach to exploiting the web browser. A cursory glance show about a half dozen exploits that may be for IE WebViewFolderIcon setSlice(), WinZip WebViewFolderIcon, Yahoo WebCam, Microsoft 'msdds.dll' COM Object, QuickTime and AdobeWScriptShell.
Since including code in the body of the blog is a pain, here's the files if you want to play with them.

No comments: