Blog

I got very excited when I heard that recently Steven Adair from Shadowserver has spotted a slightly modified Storm variant live in action. But I was little surprised when I read the details of this alleged new variant. This new variant (a modified version of actual storm) was discovered back in 2008 and I got a chance to write about it in quite a detail.

From my article written back in 2008:

Another interesting nugget is "User-Agent" header:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1921)

I guess the Storm author meant to type ‘Windows’ here, but
fat-fingered it and made a typo.  There is a sig in Bleeding Snort that
recognizes this mistake:

#storm c&c with a typo'd UA.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Storm C&C with typo'd User-Agent (Windoss)";
flow:established,to_server; content:"User-Agent\: Mozilla/4.0
(compatible\; MSIE 6.0\; Windoss NT"; depth:200;
classtype:trojan-activity; sid:2007742; rev:3;)

https://www.fireeyesolution.com/research/2008/10/storm-just-befo.html

It is true that this variant is being re-used by the bot herders or became active again but as far as code base (a modified version of actual storm) and cnc architecture is concerned that looks to me almost the same except that bot authors have removed the P2P code now, previously they were using both at the same time, may be that was a transitional period.

Although I am still not able to find the actual text by Steven Adair, I only read it with reference to  https://www.honeynet.org/node/539, where Steven was quoted directly. I hope we soon get more details from Steven and his direct point of view on this matter.

As expected, this news has already been picked up by the media. 

http://krebsonsecurity.com/2010/04/infamous-storm-worm-stages-a-comeback/

http://www.pcworld.com/businesscenter/article/195145/new_storm_worm_may_not_last_long.html

Atif Mushtaq @ FireEye Malware Intelligence
Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM