Skip navigation.
Home

Storm Worm Config file parser

|

I have written a small Perl script that will extract the IP addresses and Port numbers from the Storm Worm configuration file. Right now this file can be found on an infected machine in the C:\windows directory and is currently named "aromis.config". This is a fairly simple script to run and it contains the ability to parse multiple files as it accepts wildcard characters "*" and/or multiple filenames. If your interested here is a link to it: storm_config_decoder_pl. Feel free to contact me if you have any questions or comments. Just thought I would share a little since I seem to take a lot from here ;)

--jeremy
jeremy [at] sudosecure [dot] net

nice stuff you have there

I looked @ http://www.sudosecure.net. nice stuff & info. "Storm Binary Tracker" is nice. I have a question though: how do you collect new IPs? do you have a "spam honeypot"? and you might want to correct the "Scirpts" button's text (a misspell). anyway, nice site and I see you declared war on Storm/Peed :)

thanks

Thanks for the heads up on the spelling, it's almost too funny that I missed that obvious typo. How I am able collect the unique IP addresses is by using the Fast Flux network design against itself, kind of. What I mean is I have written a Perl script that connects to a few large public DNS servers and asks them for A records using the current Storm Worm domain name. Nothing fancy and I will most likely publish these scripts once I have cleaned them up some, but right now they are really hacked together and not well maintained. ;) I do have about 95% of the binaries you see on the binary tracker (lost a few with a hard drive crash), so if anyone ever wants a fresh one just let me know and I will upload it here. If your looking to track the storm worm or any other fast flux network I have a friend over at the Australian Honeypot group who has written a tool called the Tracker. It's concept is much like mine, but we have our differences ;) Anyways I would recommend going and checking it out if your interested in tracking Fast Flux networks: Tracker.

storm domains

pretty cool stuff! i was wondering though as to how you are able to find the current storm domains. thanks!

storm domains

There is no simple and/or single way to do this.... I monitor spam, honeypots, IDS alerts, mailing lists, numerous security sites, other security professionals, and some creative googleing and domain registration searching. ;)