Storm Botnet Spreading Malware Through GeoCities
Storm, the botnet-building Trojan horse, has come up with another twist to dupe users into infecting their PCs with malware, a security researcher said today.
Longtime clients of the Russian Business Network (RBN), a notorious hacker- and malware-hosting network that mysteriously vanished last week after shifting operations from St. Petersburg, Russia, to Shanghai are involved in the attack, said Paul Ferguson, network architect at Trend Micro Inc.
Yesterday, Trend watched as existing bots controlled by Storm were seeded with new spam templates that included links to sites on GeoCities, the free Web hosting service owned by Yahoo Inc. Today, Storm kicked off the new attacks. "This has developed into a full-fledged attack vector," Ferguson said.
The GeoCities sites are infected with malicious JavaScript code that redirects the user's browser to secondary URLs hosted in Turkey, Ferguson said. The Turkish URLs, meanwhile, try to persuade the user to download a new codec that's supposedly necessary to view images on the GeoCities sites. According to Trend Micro's analysis, the bogus codec -- which claims to be for the 360-degree IPIX format -- is actually an identity- and information-stealing piece of malware.
