Storm using Zlob tactics and spoofed codec theme

Ok, I'm convinced, this group is falling apart. The storm gang has splintered off into separate directions. Some appear to be teaming up with the same bunch of guys that distribute rogue antispyware. In this case, they are providing exploit-less web pages hastily thrown together that politely serve up a codec. The title bar of the web page remains at "I love you" from the last theme, and current malicious storm page content pushes a "Storm Codec", copycatting the Zlob rogue antispyware pushers' theme of enticing video codecs:





















"You have no Storm Codec on your PC". Keep it that way. Do not download and run "Stormcodec.exe" or StormCodec8.exe" from unusual sites.

Btw, this theme is apparently a spoof on the Storm codec plugin offered at Softpedia and other freeware distributors. The original plugin apparently handles a number of formats, but has been bundled with malicious Trojans. The "Stormcodec7.exe" installer for that plugin on the Softpedia site appears to be over 20 mb, while the malicious binaries from a couple malicious Storm sites that we collected are ~137kb for now.
The current Storm sites contain images ripped from blogs and web pages like these, where it was described as the "dominant media player in China Windows system":




















The securityzone and Arbor Networks blogs are making note of the "fastflux" dns technique for the currently malicious domain used this time around at "_supersameas _. _com_".

Really not all that funny (cont. ii)

We researched some of the early stage activity of this new round of Storm. It's an unusual release for the group -- they are being chided on forums and blog comments for repetition of the one liner emails that are recognizable and identified by spam filters. We mentioned that the components used (no kernel mode drivers) and the user mode binaries' characteristics and behavior are unusual for the group as well. It seems that they lost a graphic designer and their driver developers left the scene (at least for this release).

So, let's elaborate a bit on what seemed like a total lack of sophistication in this release's code base, keeping in mind that the group's efforts have included implementation of the most effective techniques to target and successfully evade security products on users' desktops. They were good at this work, after all, they had built the allegedly largest botnet ever. To that end, the malware writers are not disappointing with this release.
While the changes in the relentless holiday releases of late have typically had to do with their social engineering themes, we find that now the evasion techniques have moved out of the kernel and into user-mode.

In the "kickme.exe" samples that load "testdll_f.dll", we find several interesting pieces of code. A loop implements an ntdll function overwrite routine just prior to loading the mysterious test dll that is unpacked in memory and never touches disk, and kickme hooks several api's -- NtOpenFile, NtQueryAttributesFile, NtClose, NtCreateSection, NtMapViewOfSection, and NtProtectVirtualMemory. Here is an example of one of the hooks:









The hook function blocks within the code are some of the first chunks of code to be unencrypted at startup. A jump table is built on the stack to redirect control back to the hook function from the jmp instruction in ntdll. When LoadLibraryW is called on the in-memory unpacked testdll_f.dll library, these hooks replace the standard Windows loader functionality and any security products' functionality that hooks these functions common to dll loading themselves. Up until this point in the binaries' execution, the thread has been busily unpacking code at the assembly level without making calls to api's other than a handful buried away in ntdll, like memcpy.
So far as we know, this user-level evasive behavior is new to Storm. These changes may be underestimated by some, but they help the group to meet their own goals in new ways.

On to the next malware family, we'll probably see you next holiday or major news event (possibly the NCAA championship) with more Storm details.