Storm Botnet Uses New Trick of Phishing E-mails
Security researchers warn that the Storm Worm-created botnet is applying a new tactic this year (2008) by using its vast collection of compromised computers to phish out e-mails that would divert people to fraudulent banking sites hosted on systems it controls from a distance.
According to security firms Trend Micro and F-Secure, the Storm malware has never had a role in phishing scams until now. Researchers at F-Secure think that the latest scheme is an indication of Storm controllers segmenting the huge army of compromised computers into clusters to rent them out to different interested parties.
The Storm botnet started in January 2007 with spam mails posing to inform about the winter storms that were creating havoc in Europe during that month. Windows users who did not have patches installed and were clicking the link contained in the spam mail got infected with the virus and were led to unwittingly join their computers to the army of zombie machines.
According to Trend Micro and F-Secure, the latest phishing scam that targeted the Royal Bank of Scotland and the Halifax Bank used the fast-flux DNS technique to maintain longevity of the phishing website. Fast-flux helps to constantly alter the Internet Protocol (IP) address of the DNS system and make the bot-infected computers in the network host that phishing site.
F-Secure thinks that the technique connected an IP address in the Halifax phishing scheme to a DNS that the Storm botnet previously used. It also connected the IP address to Postcards-2008.com that was used in New Year's greeting spam distributed immediately after the 2007 Christmas. In a company blog of F-Secure, its Senior Security Consultant Mikko Hypponen wrote that somebody was now using systems that the Storm worm infected and controlled in attempts to operate phishing scams. Although this hadn't happened before, but something like this was expected, Hypponen remarked. Computerworld published this in news on January 9, 2008.
Network architect Paul Ferguson at Trend Micro similarly said through a warning on January 9, 2008 that there is a possibility of part of the Storm botnet being handed over to phishers on rent. Computerworld published this on January 9, 2008.
Related article: Storm Worm Returns with Follow-Up Attack
» SPAMfighter News - 19-01-2008