Jan 10, 2008
Scarcely one year after the initial appearance of the Storm Worm and its resulting botnet, some heretofore untapped functionality's been pushed out in one update or another in just the past couple of days: Not only is the botnet sending out phishing-related spam but the phishing sites are hosted on the infected machines themselves. The information security community is speculating that it may now be possible for the controller of the botnet to partition it and assign different tasks to different segments of the infected net.population. As if that weren't problem enough, the domains that the phishing sites use update their DNS records every couple of seconds (a method called fast-flux DNS addressing), so every time you go to that domain, you're actually contacting a different IP address. That way, it isn't possible to block a small number of IP addresses at the local level.
As they say, 'interesting times'.