Storm is Back, Dude!
by Jose NazarioThe Storm Worm is back, this time it’s got a Christmas theme. Who knew that it would take them so long to do this? Here’s a sample mail:
Date: Sun, 23 Dec 2007 21:19:19 -0500 From: geneoldham@usmint.treas.gov To: --- Subject: Find Some Christmas Tail got a sec? Winter can be cold. I bet you could use a little something to warm you up. Take 2 min out of your day. You wont regret it. ;-) hxxp://merrychristmasdude.com/
That domain, merrychristmasdude.com, has a bunch of nameservers and a lot of IPs associated with it – Fast Flux! Here’s the IPs I saw via a global name server after 1000 repeated queries together with their frequencies o observation:
| 32 | 24.192.208.132 |
| 25 | 81.151.231.15 |
| 21 | 194.44.169.245 |
| 20 | 67.187.30.81 |
| 19 | 75.6.214.46 |
| 19 | 68.50.196.160 |
| 19 | 207.255.204.126 |
| 18 | 84.120.92.63 |
| 17 | 82.67.21.44 |
| 17 | 211.117.90.126 |
| 17 | 201.215.52.231 |
| 17 | 125.143.141.104 |
| 16 | 74.128.121.44 |
| 15 | 74.74.253.73 |
| 15 | 72.186.209.55 |
| 15 | 71.86.54.0 |
| 14 | 87.103.179.1 |
| 14 | 75.200.91.57 |
| 14 | 190.0.86.106 |
| 13 | 68.80.68.5 |
| 13 | 190.49.179.253 |
| 13 | 122.32.53.35 |
| 12 | 97.96.119.124 |
| 12 | 70.135.10.1 |
| 12 | 69.105.112.192 |
| 12 | 67.187.51.43 |
| 12 | 66.55.197.25 |
| 12 | 121.92.105.134 |
| 11 | 86.121.135.109 |
| 11 | 68.52.93.226 |
| 11 | 68.186.24.80 |
| 11 | 67.186.43.176 |
| 11 | 24.199.69.213 |
| 11 | 222.116.70.90 |
| 11 | 221.143.61.83 |
| 10 | 89.45.34.180 |
| 10 | 76.184.147.8 |
| 10 | 75.9.137.204 |
| 10 | 72.39.186.244 |
| 10 | 71.137.96.136 |
| 10 | 68.81.128.2 |
| 10 | 65.33.131.68 |
| 10 | 61.47.211.238 |
| 10 | 210.221.170.163 |
| 10 | 200.120.9.130 |
| 10 | 190.47.106.164 |
| 10 | 116.93.193.243 |
| 9 | 98.200.129.139 |
| 9 | 89.156.168.238 |
| 9 | 85.249.11.175 |
| 9 | 63.144.48.28 |
| 9 | 190.46.141.166 |
| 9 | 190.24.42.234 |
| 9 | 12.205.78.19 |
| 8 | 99.235.163.108 |
| 8 | 77.41.47.214 |
| 8 | 76.177.65.62 |
| 8 | 75.68.231.167 |
| 8 | 75.35.228.155 |
| 8 | 66.169.137.41 |
| 8 | 24.160.179.242 |
| 8 | 221.126.253.17 |
| 8 | 190.40.208.227 |
| 7 | 98.202.86.206 |
| 7 | 71.207.10.151 |
| 7 | 71.156.37.97 |
| 7 | 69.182.42.69 |
| 7 | 68.48.36.237 |
| 7 | 61.251.251.21 |
| 7 | 190.51.237.182 |
| 7 | 121.158.225.192 |
| 6 | 98.197.152.52 |
| 6 | 84.122.107.246 |
| 6 | 78.106.65.229 |
| 6 | 72.43.19.43 |
| 6 | 71.150.251.55 |
| 6 | 70.212.144.13 |
| 6 | 69.247.204.32 |
| 6 | 24.170.34.99 |
| 6 | 213.138.244.138 |
| 5 | 86.31.243.16 |
| 5 | 76.253.189.137 |
| 5 | 75.50.232.119 |
| 5 | 70.249.186.39 |
| 5 | 67.190.105.240 |
| 5 | 67.161.30.7 |
| 5 | 116.2.146.104 |
| 4 | 99.142.31.3 |
| 4 | 82.64.45.92 |
| 4 | 78.139.2.148 |
| 4 | 76.243.124.237 |
| 4 | 72.160.179.206 |
| 4 | 69.72.48.70 |
| 4 | 41.248.1.214 |
| 4 | 196.217.58.147 |
| 3 | 88.238.69.94 |
| 3 | 75.73.216.43 |
| 3 | 201.250.41.161 |
| 3 | 125.225.140.109 |
| 2 | 90.24.112.177 |
| 2 | 89.42.134.106 |
| 2 | 83.131.72.32 |
| 2 | 71.138.249.84 |
| 2 | 67.190.64.28 |
| 2 | 24.95.77.206 |
| 2 | 24.128.181.27 |
| 2 | 222.225.190.122 |
| 1 | 77.99.123.83 |
| 1 | 76.235.211.6 |
| 1 | 69.230.66.230 |
| 1 | 66.66.156.116 |
| 1 | 216.193.170.215 |
| 1 | 201.235.164.61 |
| 1 | 125.178.97.44 |
| 1 | 121.138.240.142 |
That list is, of course, subject to change.
An infected host will drop the file C:\WINDOWS\disnisa.exe and store the peerlist in C:\WINDOWS\disnisa.config A pair of randomly chosen ports – one TCP and one UDP – will be opened. The following registry entry is added for the malware HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "disnisa" = C:\WINDOWS\disnisa.exe It will sync up the time using NTP and add the following registry entries _HKEY(1352)_\System\CurrentControlSet\Services\W32Time\Parameters "NtpServer" = time.windows.com,time.nist.gov It will lower the firewall for itself using this command
_HKEY(1352)_\System\CurrentControlSet\Services\W32Time\Parameters "Type" = NTPnetsh firewall set allowedprogram C:\WINDOWS\disnisa.exe enable It will also add a registry entry to make sure that firewall permission is permanent HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\disnisa.exe" = C:\WINDOWS\disnisa.exe:*:Enabled:enable After that, the usual Storm worm mayhem begins.
AV detection for this sample is pretty modest at this point.
UPDATES
Some related links:
- It’s a Stormy Christmas Eve.. from the folks at F-Secure
- Stormworm is back. – Have a Merry Christmas Dude from our friends at DISOG
- Zhelatin.pd, stripshow.exe via the CSIRT blog
Popularity: 3% [?]
please provide the solution for prevention and removalof merrychristmasdude