There was another twist today in the Nuwar story: it is now being used to host phishing sites. The gang behind this prolific malware has registered several domain names similar those used by well-known banks such as Barclays and Halifax and is directing web requests for these misspelled domain names to computers infected with Nuwar. The infected computers run web servers that serve a fake login page to steal the user name and password of any visitor who enters their information.
One way to determine that this phishing scheme is related to Nuwar is to perform a domain name server lookup for the rogue domain name. A new IP address will be returned every time, and while some banks' web sites do have multiple IP addresses assigned to them for redundancy and load-balancing, the sheer number of IP addresses returned is typical of fast flux domains (see http://en.wikipedia.org/wiki/Fast_flux for more information). Performing an HTTP request directly to the returned IP address instead of the rogue domain name will return the download message we discussed in our last post.
There is one important difference between Nuwar's phishing pages and the real bank's login pages: the banks' uses encryption. We strongly recommend always verifying that your transaction is encrypted before entering any sensitive information in a web form.
Other interesting reading on Nuwar:
- Storm goes phishing: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080108
- Measuring the Success Rate of Storm worm: http://honeyblog.org/archives/156-Measuring-the-Success-Rate-of-Storm-Worm.html
Pierre-Marc Bureau
Researcher