Part of the Storm botnet appears to have been rented out to identity thieves, who are using it to conduct traditional phishing attacks that target customers of Barclays and Bank of Scotland.
Fortinet was the first security company to confirm that the Barclays attack came from Storm-controlled machines. In a post Monday, Fortinet research engineer Derek Manky noted that the phishing e-mails originated from a Storm fast-flux domain that the botnet had used since the middle of 2007.
In fast-flux, addresses are rapidly registered and de-registered with the address list for either a single DNS (domain name system) server or an entire DNS zone. In both cases, the strategy masks the IP address of the malware site by hiding it behind an ever-changing array of compromised machines acting as proxies. In extreme cases, the addresses change every second.
Tuesday, after the domain used in the Barclays phish was shuttered by a Web domain registrar, the botnet switched domains and started sending mail to customers of Halifax, a division of the Bank of Scotland, Manky said. Like the first campaign, the second tried to dupe recipients out of their banking account usernames and passwords.
The Finnish security firm F-Secure connected one of the IP addresses used in the Halifax phishing to domains previously used by the Storm botnet, including postcards-2008.com, one of several referenced in New Year's Day greeting spam that began appearing just after Christmas.
"Somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before," said Mikko Hypponen, F-Secure's chief research officer, in a blog post Wednesday. "But we've been expecting something along these lines."
Paul Ferguson, network architect with Trend Micro, echoed Hypponen in a warning of his own on Wednesday. "We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers," said Ferguson.
But Joe Stewart, a senior security researcher at SecureWorks, and an expert on Storm, wasn't so sure. Through a spokeswoman, Stewart said that he had seen no hard evidence of the botnet being leased to phishers. In October, Stewart said the Trojan had added encryption to its command and control traffic, and speculated that the move was one way the hackers could partition the army of zombie PCs in preparation for renting pieces to other criminals.
Stewart said he had not found any additional encryption keys used by Storm, which would indicate that a split had occurred.
Storm's first-year anniversary is rapidly approaching; the Trojan was first identified Jan. 17, 2007 as the malicious payload in a large spam run that used news of severe weather battering Europe as the bait to get people to open a file attachment.