Security companies have discovered that computers infected by the year-old Storm worm are being used to host phishing sites.
Following a phishing run on Tuesday that attempted to dupe online users of the UK's Halifax building society, F-Secure found that the IP address of the phishing sites was changing "every second or so", a characteristic of a botnet using fast-flux techniques.
On further investigation, server domains hosting the pages turned out to be compromised domains previously associated with the Storm botnet and infected with variants of the Storm Trojan.
"Somebody is now using machines infected with and controlled by Storm to run phishing scams," wrote Mikko Hypponen, F-Secure's chief research officer, in a blog post. "We haven't seen this before."
Security company Trend Micro also reported phishing attacks from Storm domains on Tuesday. The company noted that Royal Bank of Scotland customers had been targeted. Trend Micro said in a blog post it had detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network)-associated activities."
In October, SecureWorks security researcher Joe Stewart predicted that Storm botnet services could be sold, after Storm worm variants were detected using a 40-byte key to encrypt their peer-to-peer traffic. Each node would only be able to communicate with nodes that used the same key, effectively allowing the Storm worm authors to segment the botnet into smaller networks. Last Autumn, the Storm botnet was used to send a series of pump-and-dump stock spam waves, and an MP3-based spam run.
The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will reach its first anniversary next week, on 19 January.