Part of the Storm botnet appears to have been rented out to identity thieves, who are using it to conduct traditional phishing attacks that target customers of a pair of U.K.-based banks, researchers said Wednesday.

Two recent phishing attacks -- one aimed at customers of Barclays, the second at account holders of the Bank of Scotland -- appear to be coming from domains associated with known campaigns designed to build out the botnet of Storm-infected PCs.

Fortinet was the first security company to confirm that the Barclays attack came from Storm-controlled machines. In a post Monday, Fortinet research engineer Derek Manky noted that the phishing e-mails originated from a Storm fast-flux domain that the botnet had used since the middle of 2007.

In fast-flux, addresses are rapidly registered and de-registered with the address list for either a single DNS server or an entire DNS zone. In both cases, the strategy masks the IP address of the malware site by hiding it behind an ever-changing array of compromised machines acting as proxies. In extreme cases, the addresses change every second.

Tuesday, after the domain used in the Barclays phish was shuttered by a Web domain registrar, the botnet switched domains and started sending mail to customers of Halifax, a division of the Bank of Scotland, Manky said. Like the first campaign, the second tried to dupe recipients out of their banking account usernames and passwords.

The Finnish security firm F-Secure connected one of the IP addresses used in the Halifax phish to domains previously used by the Storm botnet, including postcards-2008.com, one of several referenced in New Year's Day greeting spam that began appearing just after Christmas.

"Somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before," said Mikko Hypponen, F-Secure's chief research officer, in a blog post Wednesday. "But we've been expecting something along these lines."

Paul Ferguson, network architect with Trend Micro, echoed Hypponen in a warning of his own on Wednesday. "We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers," said Ferguson.

But Joe Stewart, a senior security researcher at SecureWorks, and an expert on Storm, wasn't so sure. Through a spokeswoman, Stewart said that he had seen no hard evidence of the botnet being leased to phishers. In October, Stewart said the Trojan had added encryption to its command and control traffic, and speculated that the move was one way the hackers could partition the army of zombie PCs in preparation for renting pieces to other criminals.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Whitepapers

• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper
• Driving Business Success Through Workgroup Choice and Flexibility
• Toward More Flexible, Next-Generation Collaboration Solutions
• Collaboration Tools and Organizational Success Whitepaper
• The ROI and TCO Benefits of Data Deduplication for Data Protection in the Enterprise

View more SECURITY whitepapers

Webcasts

• Transforming the Enterprise WAN Edge: Video from Cisco
• Key Considerations for a Successful 802.11n Deployment
• The Secure Web Gateway. Mission Critical For Business - Webcast
• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Solutions to the Toughest IT Challenges in Remote Offices

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports