Storm talk is thundering across the security blog horizon. Despite the consensus that this spam monster is indeed a Storm relative, there is some argument over just how NEW this new Storm is.
Several people have taken a look at the spam spewing samples, digging into the malware’s functionality as well as its communication, and the templates used for generating the various spam emails. They have found major similarities between several aspects of the new and old Storm fronts, including filename usage and user-agent typos (Windoss instead of Windows), but the more recent version has excluded the peer to peer portion of the code.
Atif Mushtaq at FireEye writes that these are all details he observed on a Storm variant back in 2008. So is this old news? Nothing about what is being called Pecoan (another name in the long list: Nuwar, Peacomm, Zhelatin, Dorf) is really more sophisticated than its predecessor and the samples I ran only connected with one static IP, so I don’t think this Storm will be as violent as the last. The creators of the original Storm have had enough time to code a better botnet so perhaps this is just a rediscovery of a forgotten remnant.
Right now compromised systems are sending out online pharmacy, adult dating, and nude celebrity emails. The template design allows for a wide array of sender names, subjects, message content, and destination URLs. The malware harvests email addresses from the victim machines and sends Base64 encoded POSTS to pass information and report in to its C&C.
As always, be cautious while online and when in doubt, don’t click.
Threat Research & Analysis