sudosecure.net Blog Archive Storm Worm Morphs to only serve exploits

Alrighty then let me get to some of the juicy stuff about this new campaign. We now have three active Storm Fast Flux domain names serving up obfusticated JavaScript via a PHP file titled "ind.php". The thing that completely threw me off yesterday was they are filtering the exploit with a User Agent check. If you try to grab the "ind.php" with a non exploitable browser or command you will receive a blank page. Here is a PDF of the current "ind.php" file and it's deobfusticated code: ind.php analysis. As you can see in the PDF you will be hit with multiple exploits and if any of them are successful you will be receiving the Storm Worm binary downloader from another PHP file titled: "load.php". Detection is very limited for this new variant downloader: VirusTotal Results for load.php. This downloader will then grab the file "load.exe" which is the actual Storm Worm binary and detection for this is low as well: VirusTotal Results for load.exe.