Saturday, September 15, 2007

Storm brings "games" that pack a punch

Today, Storm includes e-mails about free games available. The e-mails are resorting back to including URLs to IP addresses and not a domain like the most recent NFL messages. The web page includes pictures of all sorts of games and links to "ArcadeWorld.exe".

The Storm worm folks are also resorting to including exploit code. My guess is they just didn't get the number of infections they were hoping to with just including links to the *.exe with the NFL version.
Here's a screenshot of the obfuscated javascript.

This is after the first round of deobfuscating the javascript using SpiderMonkey. See how there's still more to analyze. The overly long filename for the WMV file looks like it is targeting MS06-006.

The do/while loop creates a string of 16,777,216 A's that gets the shellcode appended to the end.

Subject: Quick, grab this
Body: Click here to get over 1000 games for free http://xxx.0.188.5/

Subject: Quick, grab this
Body: Stop paying for games; we have over 1000 games for free online http://xx.57.250.77/

Subject: Thousands of hours of fun, for free
Body: Go http://xx.203.41.160/

Subject: Stop paying for games
Body: 1000 Online Free games, take a look http://xx.38.52.177/

Subject: The internet just got better
Body: Look http://xxx.54.195.27/

No comments: