/>
X
Innovation

Phishers harness Storm worm botnet

Domains associated with the Storm worm botnet are being used to host phishing sites, F-Secure and Trend Micro have warned
zd-defaultauthor-robert-vamosi.jpg
tom-espiner.jpg
Written by Robert Vamosi and  Tom Espiner on

A number of phishing sites may now be using domains previously attributed to the Storm worm botnet, according to security company F-Secure.

Following a phishing run on Tuesday that attempted to dupe online users of the Halifax building society, F-Secure found that the IP address of the phishing sites was changing "every second or so", a characteristic of a botnet using fast-flux techniques.

On further investigation, server domains hosting the pages turned out to be compromised domains previously associated with the Storm botnet and infected with variants of the Storm Trojan.

"Somebody is now using machines infected with and controlled by Storm to run phishing scams," wrote Mikko Hypponen, F-Secure's chief research officer, in a blog post. "We haven't seen this before."

Security company Trend Micro also reported phishing attacks from Storm domains on Tuesday. The company noted that Royal Bank of Scotland customers had been targeted. Trend Micro said in a blog post it had detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network)-associated activities."

In October, SecureWorks security researcher Joe Stewart predicted that Storm botnet services could be sold, after Storm worm variants were detected using a 40-byte key to encrypt their peer-to-peer traffic. Each node would only be able to communicate with nodes that used the same key, effectively allowing the Storm worm authors to segment the botnet into smaller networks. Last Autumn, the Storm botnet was used to send a series of pump-and-dump stock spam waves, and an MP3-based spam run.

The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will reach its first anniversary next week, on 19 January.

Editorial standards

Related

How to use your phone to diagnose your car's 'check engine' light
BlueDriver Bluetooth dongle

How to use your phone to diagnose your car's 'check engine' light

Google Play malware: If you've downloaded these malicious apps, delete them immediately
a-man-sitting-in-his-living-room-looking-at-his-smartphone-with-concern

Google Play malware: If you've downloaded these malicious apps, delete them immediately

Safeguard your iPhones, iPads and Macs: Apply these security updates now
Locked iPhone in front of Mac

Safeguard your iPhones, iPads and Macs: Apply these security updates now