[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Zombie Computer Army Targets Bank Account Passwords


By Ryan Singel 
January 09, 2008 

Every security geek's favorite zombie computer army from 2007 -- the 
Storm Worm botnet -- has a new trick for 2008, using its huge collection 
of infected computers to send out phishing emails directing people to 
fake banking sites that it cleverly also hosts on the computers it 
remotely controls. The phishing campaign caught the attention of both 
F-Secure and Trend Micro, who say Storm has never been involved in 
phishing up to this point. The new campaign may indicate, according to 
F-Secure, that Storm's controllers have figured out how to divide the 
massive army into clusters which it is now renting out to others.

The Storm Worm botnet got its start last January with a spam email 
purporting to have information about the storms that were battering 
Europe at the time. Users with unpatched Windows machines who clicked on 
the link in the email were infected with a Trojan that joined the 
machine to the zombie army.

Storm's controllers use peer-to-peer communication to tell individual 
machines what to do -- making it impossible to decapitate the army by 
finding and shutting down the central server that the infected PCs call 
home to. Storm also seemed to have a mechanism to fight back at security 
researchers who probed infected computers. Security experts found that 
their research efforts could lead Storm to direct a torrent of traffic 
back at them if they weren't careful about disguising where they were 
coming from.

Storm's size waxed and waned through 2007, gaining users by targeting 
them in the fall with offers for free NFL game tracking software and 
losing hundreds of thousands when Microsoft pushed an update to its 
anti-spyware tool (MSRT) which the company said cleaned more than 
250,000 machines.

F-Secure and Trend Micro both reported that the phishing scam was using 
a technique known as fast-flux DNS to keep the phishing site alive. 
Fast-flux works by constantly changes the IP address in the internet's 
phone book system (known as DNS) and having multiple computers in the 
botnet host the phishing site. The IP address of the phishing site was 
changing every second, according to F-Secure's report. That makes it 
very difficult to blacklist a IP address and since the site isn't being 
hosted by a company that researchers could contact to take down the 
site, the site lives longer.

In F-Secure's end of the year wrap-up they predicted that Strom would 
soon be used by other online scammers:

    "October brought evidence of Storm variations using unique security 
    keys. The unique keys will allow the botnet to be segmented allowing 
    "space for rent". It looks as if the Storm gang is preparing to sell 
    access to their botnet."

    This may be what's happening now.

Paul Ferguson, an advanced threat researcher for security giant Trend 
Micro, says the spam emails were sent from a different segment of the 
botnet than the phishing sites were hosted. The site used for phishing 
was just registered on Monday.

"They are more brazen than ever," Ferguson told THREAT LEVEL. "This is 
an issue that doesn't have an easy fix. It shows these guys have cajones 
and they are more brazen than ever."

Anti-phishing filters -- such as the ones bundled into Opera, Firefox 
and IE7 -- have gotten pretty good at quickly adding sites to their 
blocked list, but that's only part of the solution, according to 

"The issue becomes how do you work to take it down and find the 
perpetrators," said Ferguson, who had wrote the incident up on Trend 
Micro's Malware Blog.

THREAT LEVEL would like to remind readers never to navigate to their 
bank, or PayPal or Amazon via links in emails. Never. But of course you 
all know that.

Visit InfoSec News