Storm worm used to launch phishing attacks

Summary:Security companies have discovered that computers infected by the year-old Storm worm are being used to host phishing sites.

Security companies have discovered that computers infected by the year-old Storm worm are being used to host phishing sites.

Following a phishing run on Tuesday that attempted to dupe online users of the UK's Halifax building society, F-Secure found that the IP address of the phishing sites was changing "every second or so", a characteristic of a botnet using fast-flux techniques.

On further investigation, server domains hosting the pages turned out to be compromised domains previously associated with the Storm botnet and infected with variants of the Storm Trojan.

"Somebody is now using machines infected with and controlled by Storm to run phishing scams," wrote Mikko Hypponen, F-Secure's chief research officer, in a blog post. "We haven't seen this before."

Security company Trend Micro also reported phishing attacks from Storm domains on Tuesday. The company noted that Royal Bank of Scotland customers had been targeted. Trend Micro said in a blog post it had detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network)-associated activities."

In October, SecureWorks security researcher Joe Stewart predicted that Storm botnet services could be sold, after Storm worm variants were detected using a 40-byte key to encrypt their peer-to-peer traffic. Each node would only be able to communicate with nodes that used the same key, effectively allowing the Storm worm authors to segment the botnet into smaller networks. Last Autumn, the Storm botnet was used to send a series of pump-and-dump stock spam waves, and an MP3-based spam run.

The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will reach its first anniversary next week, on 19 January.

Topics: Banking, Malware, Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.