New Botnet: Storm Signal?

Pierre-Marc tells me that he has received two malware samples that grabbed his attention due to their resemblance to Storm/Waledac.  They use the same kind of distribution mechanism: that is, spam with links to a New Year eCard for New year with titles like "New Year Wishes!" and "You Received an Ecard."  The mail contains a link to a website that tells the victim he needs Flash to view the content.

The links seen so far redirect to a linked binary named to look like a Flash Player installation program (of course, it isn't).

The downloaded binaries are huge, weighing in at 475K packed.  The modus operandi strongly resembles Storm for the following reasons:

  • It uses fast flux
  • It presents itself as an eCard, the malicious binary passes itself off as Flash, and so on.
  • Many compiled libraries are associated with the binary
  • Infected hosts are used to extend the malware's proxy capabilities
  • It appears to be making use of a decentralized network protocol (p2p) based on HTTP: investigation continues.
  • The bot has spamming capabilities

ShadowServer has started talking about this publicly. For now, we're not seeing other sources mentioning it, but Pierre-Marc agrees with their assessment.

The samples seen so far are detected by nod32 as Agent.WSA (detection added December 29th), or Win32/Kryptik.JHS.

The botnet is still in the development phase, apparently: the gang is releasing quick updates and some of their servers are not responding, probably because they are unable to cope with the wave of new infections. This also closely resembles problems we saw during the early stages of the earlier botnets.

David Harley
Pierre-Marc Bureau

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.