Storm is back, and according to TrendLabs researchers, the infamous malware family has added yet another twist to its tactics.

“(It) looks like Yahoo! will have its hands full in the next couple of days,” Senior Threat Researcher Ivan Macalintal says. “There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets.”

An example of a Geocities URL found in the spam templates is: http://geocities.com/{BLOCKED}Ramirez26.

The links contained within the said messages point to various accounts created under the popular Yahoo!-managed Geocities site. However, what appears to be links to personal Web sites hosted on Geocities are actually URLs that redirect to http://{BLOCKED}.{BLOCKED}.238.36/aes/, where a user is coaxed into downloading an “iPix plug-in” (from http://{BLOCKED}.{BLOCKED}.238.36/iPIX-install.exe).

Unfortunately, the iPix plug-in, which Trend Micro detects as TROJ_ZBOT.BJ, downloads more malicious files from the following sites:

• http://{BLOCKED}.255.94.99/bot/filenl.bin
• http://{BLOCKED}.255.94.99/bot/filenl2.exe

The said URLs have been observed to host phishing sites in the past.

This newest chapter in the Storm saga proves that the creators of the said malware are still very much active. Its use of a popular free server like Geocities and disguising itself as a plug-in may mean that they are still looking for more systems to infect. Storm has been notorious for its changing routines, and one could only guess how — and when — the Storm malware will attack next.

We are accustomed to malware authors releasing malware every time Microsoft releases security bulletins on Patch Tuesdays. True enough, TrendLabs has yet again received reports of a malware taking advantage of this month’s Patch Tuesday to lure victims into downloading its copies.

Detected by Trend Micro as TROJ_DROPPER.DCU, this malware disguises itself as a new Microsoft security patch for Windows by using file names such as WindowsXP-KB923810-x86-ENU.exe and MSWORDRC2007Update-K79342.exe, which appear to be very similar to the name format of a Microsoft fix patch file.

One interesting characteristic of this Trojan is that it may also drop a legitimate Microsoft patch for the Kodak Image Viewer Vulnerability, making it appear that the downloaded Trojan is also a legitimate file. These malicious files were reportedly hosted on certain IP blocks in a new hosting provider’s IP space, and were being employed by the notorious Russian Business Network operatives.

Users should know by now never to download these security patches from any other Web site other than the Microsoft Windows Update page.

Information provided by Trend Micro Network Architect Paul Ferguson

IRS (Internal Revenue Service) spam that leads to phishing sites is in circulation–again! The new spam informs the user that he is eligible for a tax refund, and must fill out a form to avail of the refund.

The link within the spammed email message does not look like an official IRS address: http://{BLOCKED}adoralive.de/images/upload/user/427/stats/awstats/.money/ssl/refund.php.

See image below:

Clicking the link points to the page below:

The page does use the IRS logo and looks nearly similar to the IRS official site, however. This could deceive the more naive Internet user.

Clicking the “Tax Refund Online Form” link leads to a bogus form page which actually phishes for sensitive user information. These spammers-phishers have also been so kind as to include the following reminders:

• For security reasons, we will record your ip-address and date.
• Deliberate wrong inputs are criminally pursued and indicted.

The “refund” angle may be old (see here and here), but apparently it is yet to be exhausted. More inventive techniques have used the agency’s name in asking for contributions to the victims of the California wildfires in early November, serving malware in a complaint form, or using a voice message to deliver the message.

Note that the IRS would never contact anyone using email, as stated in the IRS’s official site. To learn more about phishing attempts of this kind, read the official site’s interesting page dedicated to IRS-related scams.

Microsoft released two heavy-hitting patches this Tuesday:

Critical Bulletins:

MS07-061
Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)

Important Bulletins:

MS07-062
Vulnerability in DNS Could Allow Spoofing (941672)

The first one ends the long wait for the patch that will address the URI vulnerability that allows cross-browser scripting in a POC last July. The second one addresses a vulnerability in DNS that could allow malicious users to spoof a page.

Users are enjoined to download the above patches to protect themselves from relevant attacks.

Click here for Windows Update.