By sending phishing emails, the Storm Worm botnet lure people to false banking sites, hosted and controlled by it. That’s why F-Secure and Trend Micro suddenly became interested in. The main issue is represented by the fact that the zombie computer army from 2007 is now separated into many groups, increasing the difficulty to defeat it. These weren’t the expectations for 2008.
Last January, a spam email represented the start of the Storm’s action. The temptation? The bad weather from Europe. If the users with unpatched Windows machines clicked on the given link, they discovered an unpleasant surprise: a Troyan immediately connected the computer to the zombie army.
The Storm’s generals had prepared the “battle” properly: the infected machines received the information individually, making impossible the destruction of the army by discovering and closing the central server. In the same time, through a fighting-back method a torrent traffic was returned to the security experts.
The phishing site was kept alive through a technique recognized as fast-flux DNS, informed F-Secure and Trend Micro. It means that the IP address of the site is changing every second and because a specific company doesn’t host it, the consequence is a long existence.
The problem is that other online scammers will start to use the Storm. The botnet will be divided and the “Storm gang” will allow access to this space.
Trend Micro, through the voice of its researcher Paul Ferguson, admitted to THREAT LEVEL that these guys "are more brazen than ever".
He also declared that the Anti-phishing filters - such as the ones bundled into Opera, Firefox and IE7 - represent a small piece from a big puzzle. "The issue becomes how do you work to take it down and find the perpetrators".
The advice given by THREAT LEVEL sounds very clear: the users must never navigate to their bank, PayPal or Amazon via links in emails.
