Ok, I’m convinced, this group is falling apart. The storm gang has splintered off into separate directions. Some appear to be teaming up with the same bunch of guys that distribute rogue antispyware. In this case, they are providing exploit-less web pages hastily thrown together that politely serve up a codec. The title bar of the web page remains at “I love you” from the last theme, and current malicious storm page content pushes a “Storm Codec”, copycatting the Zlob rogue antispyware pushers’ theme of enticing video codecs:

“You have no Storm Codec on your PC”. Keep it that way. Do not download and run “Stormcodec.exe” or StormCodec8.exe” from unusual sites.

Btw, this theme is apparently a spoof on the Storm codec plugin offered at Softpedia and other freeware distributors. The original plugin apparently handles a number of formats, but has been bundled with malicious Trojans. The “Stormcodec7.exe” installer for that plugin on the Softpedia site appears to be over 20 mb, while the malicious binaries from a couple malicious Storm sites that we collected are ~137kb for now.
The current Storm sites contain images ripped from blogs and web pages like these, where it was described as the “dominant media player in China Windows system”:

The securityzone and Arbor Networks blogs are making note of the “fastflux” dns technique for the currently malicious domain used this time around at “_supersameas _. _com_”.

This entry was posted on Tuesday, April 8th, 2008 at 10:56 am and is filed under Bot, Social Engineering, Storm, cybercrime. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.