Valentine Attack Marks One-Year Anniversary of Storm Botnet

As usual, users are intrigued with an enticing subject -- his time using a seasonal romantic theme. Upon opening the e-mail, users only find a few words in the body of the message encouraging them to link to an IP address. The malicious site contains what looks like a Valentine's Day message with giant red heart that informs users that a download "should begin shortly." The download however installs malware that subsequently infects users' machines.

"The IP address is another Storm server that is serving Web pages," said Jon Orbeton, strategic product manager for IronPort. "When they execute it, they become infected with Storm."

Subject lines include:

- A Dream is a Wish - A Is For Attitude - A Kiss So Gentle - A Rose - A Rose for My Love - A Toast My Love - Come Dance with Me - Come Relax with Me - Dream of You - Eternal Love - Eternity of Your Love - Falling In Love with You - For YouMy Love - Heavenly Love - Hugging My Pillow - I Love You Because - I Love You Soo Much - I Love You with All I Am - I Would Dream

Sponsored post

Security experts say that this recent series of Valentine-related attacks follows a trend that capitalizes on holidays and high profile media events which direct a significant amount of traffic to the Web. Within the last six months, Storm has exploited holidays such as Christmas, New Year's, Halloween and Thanksgiving. It also emerged following the recent assassination of former Pakistani Prime Minister Benazir Bhutto, and will likely come out again in other high traffic events, such as presidential elections.

"The Storm has been around for a year. It's the energizer bunny of botnets," said Paul Ferguson, network architect for Trend Micro. "The only sure thing about storm is it seems to be very plug and play. They'll follow the money."

The notorious botnet is increasingly used in multi-faceted phishing attacks, and security experts say that portions of the Storm are actually "rented out" to phishers.

"It's a natural progression for criminals expanding their horizons," said Ferguson. "That's not something we've seen them do before with Storm. As a platform of conveyance for stolen credit cards and data, we haven't really seen it do lots of spamming, or host phishing sites."

Until recently, that is. The infamous peer-to-peer botnet has been associated with several bank phishing schemes -- most recently attacking Barclays Bank customers with a social engineering message that claims to protect members' against fraud by reviewing and updating their accounts.

An advisory on Fortinet's security Web site also warned that Storm botnet e-mails are currently going after customers of Halifax Bank, indicating that other banks may be targeted in future attacks.

Security researchers maintain that they are continually working to keep track of and shut down domains that have been used repeatedly in spamming attacks. But it's not easy, they say, largely because of the complex nature of fast flux networks.

"With Storm, because it has its own resources to serve Web pages, it's distributed across thousands of systems," said Orbeton. "Because it rotates, I don't think these blacklists are going to keep up."

To shut down a spamming site, researchers have to match their domains with databases used for spamming in the past, in addition to correlating domain information with other historical records, in order to build reputations and create comprehensive "red flag" lists.

Ferguson said that several new domains that have recently appeared have already started serving up copious phishing pages. And Storm-related domains have also been associated with the Russian Business Network, as well as other cyber crime organizations.

"We're fighting this battle from a couple of different angles," said Ferguson. "We're also trying to better engage law enforcement. It's a slow and steady fight. We still have to engage them as best we can."