Storm and Fast Flux in Action

A new variant of the Storm worm is using the following domain name: merrychristmasdude.com to infect unsuspecting users with malware. The link to the web page appears in spam messages sent out by the Storm gang using compromised machines. The message uses social engineering techniques to get you to click on the link. By simply clicking on the link and visiting the page, your system can get compromised as it will try to exploit vulnerabilities in the browser you are using or the installed browser plug-ins to download a malicious executable file to your machine and run it without your knowledge. If the exploitation fails then you might be tricked into manually downloading and running the malicious executable file from the page.

As you can see below, a technique known as fast flux is used to hide the real web server serving the web page. Every time you try to resolve the domain name, it will point to a different IP address of a compromised machine that acts as a reverse proxy serving the web page.

merrychristmasdude.com. 0  IN  A  24.210.99.xxx  (cpe-24-210-99-xxx.mi.res.rr.com)
merrychristmasdude.com. 0  IN  A  76.117.96.xxx  (c-76-117-96-xxx.hsd1.pa.comcast.net)
merrychristmasdude.com. 0  IN  A  76.93.91.xxx   (cpe-76-93-91-xxx.socal.res.rr.com)
merrychristmasdude.com. 0  IN  A  90.45.180.xxx  (ABayonne-256-1-125-xxx.w90-45.abo.wanadoo.fr)
merrychristmasdude.com. 0  IN  A  68.204.186.xxx (xxx.186.204.68.cfl.res.rr.com)
merrychristmasdude.com. 0  IN  A  67.165.111.xxx (c-67-165-111-xxx.hsd1.pa.comcast.net)
merrychristmasdude.com. 0  IN  A  86.76.88.xxx   (xxx.88.76-86.rev.gaoland.net)
merrychristmasdude.com. 0  IN  A  24.129.120.xxx (c-24-129-120-xxx.hsd1.fl.comcast.net)
merrychristmasdude.com. 0  IN  A  68.167.71.xxx  (h-68-167-71-xxx.nycmny83.dynamic.covad.net)
merrychristmasdude.com. 0  IN  A  75.64.251.xxx  (c-75-74-251-xxx.hsd1.fl.comcast.net)
merrychristmasdude.com. 0  IN  A  74.128.121.xxx (74-128-121-xxx.dhcp.insightbb.com)
merrychristmasdude.com. 0  IN  A  68.42.114.xxx  (c-68-42-114-xxx.hsd1.mi.comcast.net)
merrychristmasdude.com. 0  IN  A  64.126.33.xxx  (64-126-33-xxx.dyn.everestkc.net)
merrychristmasdude.com. 0  IN  A  91.89.7.xxx    (HSI-KBW-091-089-007-xxx.hsi2.kabelbw.de)
merrychristmasdude.com. 0  IN  A  75.35.228.xxx  (adsl-75-35-228-xxx.dsl.pltn13.sbcglobal.net)
merrychristmasdude.com. 0  IN  A  69.237.162.xxx (ppp-69-237-162-xxx.dsl.frsn02.pacbell.net)
merrychristmasdude.com. 0  IN  A  82.231.43.xxx  (id75-11-82-231-43-xxx.fbx.proxad.net)
...