Stormworm mutates: it is expanding and dividing

Storm work is using another theme to infect new victims. This latest theme is about a kitty cat ecard. The subjects are among other:"Someone is thinking of you! Open your ecard!" , "We have a ecard greeting for you." , "We have a ecard surprise!", etc.

When someone visits these websites, it shows the "The Laughing Psycho Kitty Cat"ecard and points to an executable named "SuperLaugh.exe". It's about 118KB.

More info and screenshot at Trendmicro.

Joe Stewart from Secureworks has new info on the StormWorm:

The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with
nodes that use the same key. This effectively allows the Storm author to segment
the Storm botnet into smaller networks. This could be a precursor to selling
Storm to other spammers
, as an end-to-end spam botnet system, complete with
fast-flux DNS and hosting capabilities. If that’s the case, we might see a lot more of Storm in the future.

The good news is, since we can now distinguish this new Storm traffic from legitimate” (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!).

Matt Jonkman over at has written some signatures to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occuring over a certain threshold. Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.

No comments: