Storm botnet spreading malware through GeoCities

• XT outage may affect Telecom earnings
• OOXML not suitable for Norwegian government, says study
• IP addresses dwindle as economies recover
• Routing fault pushes NZ ISPs out of Limelight
• NZ IT sector hiring plans show upward trend

 

• Windows 7 rollout lessons learned by early adopters
• Live within your means
• Is Skype safe for business?
• Slapped in the face
• Why watching 'Lost' is like managing ERP

SUBSCRIPTIONS

Computerworld is New Zealand's only specialised information systems fortnightly.

Subscribe now for $97.50 (24 issues) and save more than 37% off the cover price!

NEWSLETTERS

Get the latest news from Computerworld delivered via email.
Sign up now

NEWSFEED

Subscribe to Computerworld's
RSS newsfeed here and get news stories as they break.

• Top 10 tech stories of the decade
• FryUp: Hit the road, LoJack and gagging the media
• Conficker botnet could flood web with spam
• Waledac bot pitches nearby terrorist bombing to dupe users
• Microsoft: Online gamers still a top malware target
• Fake sites spreading malware claim Obama won't take oath

Longtime clients of the Russian Business Network (RBN), a notorious hacker- and malware-hosting network that mysteriously vanished last week after shifting operations from St. Petersburg, Russia, to Shanghai are involved in the attack, says Paul Ferguson, network architect at Trend Micro.

Yesterday, Trend watched as existing bots controlled by Storm were seeded with new spam templates that included links to sites on GeoCities, the free web hosting service owned by Yahoo. Today, Storm kicked off the new attacks. "This has developed into a full-fledged attack vector," Ferguson says.

The GeoCities sites are infected with malicious JavaScript code that redirects the user's browser to secondary URLs hosted in Turkey, says Ferguson. The Turkish URLs, meanwhile, try to persuade the user to download a new codec that's supposedly necessary to view images on the GeoCities sites. According to Trend Micro's analysis, the bogus codec — which claims to be for the 360-degree IPIX format — is actually an identity- and information-stealing piece of malware.

Fake codecs have become the latest choice of hackers, with several notable attacks recently relying on users' naivete about what a codec is, why it might be necessary and why they can be untrustworthy. The attacks last week that originated at hacked MySpace pages — including R&B singer Alicia Keys' — touted phony codecs, for example.

That Storm has turned to hyping codecs tells Ferguson that the botnet's controllers are nimble and flexible in their approach to social engineering. "They're intertwining codecs with other types of social engineering," he says.

By his reckoning, Storm has become much more than just a name for a malware family. "It's actually a covert channel of distribution for these [bad] guys," he says. "It's a communication network, a way for them to communicate information they want to seed," whether a round of spam touting penny stocks or a new piece of malware. "And it's a way for them to get what they've collected" from the now-compromised computers, he adds. "It's a covert network."

Ferguson also said that there was evidence that known RBN customers were responsible for this newest use of Storm's botnet. "Some of the same RBN operators are involved," Ferguson says. "It's some of the same crew."