Storm splinters, starts phishing, say researchers

As anniversary approaches, looks like botnet's been rented out

Part of the Storm botnet appears to have been rented out to identity thieves, who are using it to conduct traditional phishing attacks that target customers of a pair of U.K.-based banks, researchers said today.

Two recent phishing attacks -- one aimed at customers of Barclays Bank, and the second at account holders of Bank of Scotland -- appear to be coming from domains associated with known campaigns designed to build out the botnet of Storm-infected PCs.

Fortinet Inc. was the first security company to confirm that the Barclays attack came from Storm-controlled machines. In a post Monday, Fortinet research engineer Derek Manky noted that the phishing e-mails originated from a Storm fast-flux domain that the botnet had used since the middle of 2007.

In fast flux, addresses are rapidly registered and deregistered with the address list for either a single DNS (Domain Name System) server or an entire DNS zone. In both cases, the strategy masks the IP address of the malware site by hiding it behind an ever-changing array of compromised machines acting as proxies. In extreme cases, the addresses change every second.

Tuesday, after the domain used in the Barclays phishing scam was shuttered by a Web domain registrar, the botnet switched domains and started sending mail to customers of Halifax, a division of Bank of Scotland, Manky said. Like the first campaign, the second tried to dupe recipients out of their bank account usernames and passwords.

Finnish security firm F-Secure Corp. connected one of the IP addresses used in the Halifax phishing scam to domains previously used by the Storm botnet, including, one of several referenced in New Year's Day greeting spam that began appearing just after Christmas.

"Somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before," said Mikko Hypponen, F-Secure's chief research officer, in a blog post today. "But we've been expecting something along these lines."

Paul Ferguson, network architect at Trend Micro Inc., echoed Hypponen in a warning of his own on Wednesday. "We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers," said Ferguson.

But Joe Stewart, a senior security researcher at SecureWorks Inc. and an expert on Storm, wasn't so sure. Through a spokeswoman, Stewart said that he had seen no hard evidence of the botnet being leased to phishers. In October, Stewart said the Trojan had added encryption to its command and control traffic, and he speculated that the move was one way the hackers could partition the army of zombie PCs in preparation for renting pieces to other criminals.

Stewart said he had not found any additional encryption keys used by Storm, which would indicate that a split had occurred.

Storm's first-year anniversary is rapidly approaching; the Trojan was first identified Jan. 17, 2007, as the malicious payload in a large spam run that used news of severe weather battering Europe as the bait to get people to open a file attachment.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon