Storm botnet spreading malware through GeoCities

Hackers linked to the vanished Russian Business Network involved, says Trend Micro researcher

Storm, the botnet-building Trojan horse, has come up with another twist to dupe users into infecting their PCs with malware, a security researcher said last week.

Longtime clients of the Russian Business Network (RBN), a notorious hacker- and malware-hosting network that mysteriously vanished after shifting operations from St. Petersburg, Russia, to Shanghai are involved in the attack, said Paul Ferguson, network architect at Trend Micro.

Yesterday, Trend watched as existing bots controlled by Storm were seeded with new spam templates that included links to sites on GeoCities, the free Web hosting service owned by Yahoo. Today, Storm kicked off the new attacks. "This has developed into a full-fledged attack vector," Ferguson said.

The GeoCities sites are infected with malicious JavaScript code that redirects the user's browser to secondary URLs hosted in Turkey, Ferguson said. The Turkish URLs, meanwhile, try to persuade the user to download a new codec that's supposedly necessary to view images on the GeoCities sites. According to Trend Micro's analysis, the bogus codec -- which claims to be for the 360-degree IPIX format -- is actually an identity- and information-stealing piece of malware.

Fake codecs have become the latest choice of hackers, with several notable attacks recently relying on users' naivete about what a codec is, why it might be necessary and why they can be untrustworthy. The attacks last week that originated at hacked MySpace pages -- including R&B singer Alicia Keys' -- touted phony codecs, for example.

That Storm has turned to hyping codecs tells Ferguson that the botnet's controllers are nimble and flexible in their approach to social engineering. "They're intertwining codecs with other types of social engineering," he said.

By his reckoning, Storm has become much more than just a name for a malware family. "It's actually a covert channel of distribution for these [bad] guys," he said. "It's a communication network, a way for them to communicate information they want to seed," whether a round of spam touting penny stocks or a new piece of malware. "And it's a way for them to get what they've collected" from the now-compromised computers, he added. "It's a covert network."

Ferguson also said that there was evidence that known RBN customers were responsible for this newest use of Storm's botnet. "Some of the same RBN operators are involved," Ferguson said. "It's some of the same crew."

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?