By Ryan Singel
January 09, 2008
Every security geek's favorite zombie computer army from 2007 -- the
Storm Worm botnet -- has a new trick for 2008, using its huge collection
of infected computers to send out phishing emails directing people to
fake banking sites that it cleverly also hosts on the computers it
remotely controls. The phishing campaign caught the attention of both
F-Secure and Trend Micro, who say Storm has never been involved in
phishing up to this point. The new campaign may indicate, according to
F-Secure, that Storm's controllers have figured out how to divide the
massive army into clusters which it is now renting out to others.
The Storm Worm botnet got its start last January with a spam email
purporting to have information about the storms that were battering
Europe at the time. Users with unpatched Windows machines who clicked on
the link in the email were infected with a Trojan that joined the
machine to the zombie army.
Storm's controllers use peer-to-peer communication to tell individual
machines what to do -- making it impossible to decapitate the army by
finding and shutting down the central server that the infected PCs call
home to. Storm also seemed to have a mechanism to fight back at security
researchers who probed infected computers. Security experts found that
their research efforts could lead Storm to direct a torrent of traffic
back at them if they weren't careful about disguising where they were
Storm's size waxed and waned through 2007, gaining users by targeting
them in the fall with offers for free NFL game tracking software and
losing hundreds of thousands when Microsoft pushed an update to its
anti-spyware tool (MSRT) which the company said cleaned more than
F-Secure and Trend Micro both reported that the phishing scam was using
a technique known as fast-flux DNS to keep the phishing site alive.
Fast-flux works by constantly changes the IP address in the internet's
phone book system (known as DNS) and having multiple computers in the
botnet host the phishing site. The IP address of the phishing site was
changing every second, according to F-Secure's report. That makes it
very difficult to blacklist a IP address and since the site isn't being
hosted by a company that researchers could contact to take down the
site, the site lives longer.
In F-Secure's end of the year wrap-up they predicted that Strom would
soon be used by other online scammers:
"October brought evidence of Storm variations using unique security
keys. The unique keys will allow the botnet to be segmented allowing
"space for rent". It looks as if the Storm gang is preparing to sell
access to their botnet."
This may be what's happening now.
Paul Ferguson, an advanced threat researcher for security giant Trend
Micro, says the spam emails were sent from a different segment of the
botnet than the phishing sites were hosted. The site used for phishing
was just registered on Monday.
"They are more brazen than ever," Ferguson told THREAT LEVEL. "This is
an issue that doesn't have an easy fix. It shows these guys have cajones
and they are more brazen than ever."
Anti-phishing filters -- such as the ones bundled into Opera, Firefox
and IE7 -- have gotten pretty good at quickly adding sites to their
blocked list, but that's only part of the solution, according to
"The issue becomes how do you work to take it down and find the
perpetrators," said Ferguson, who had wrote the incident up on Trend
Micro's Malware Blog.
THREAT LEVEL would like to remind readers never to navigate to their
bank, or PayPal or Amazon via links in emails. Never. But of course you
all know that.
Visit InfoSec News