The Storm Trojan is using Yahoo's GeoCities service as an attack vector to infect PCs, according to security researchers.

Long-time clients of the Russian Business Network (RBN), a notorious hacker network that mysteriously vanished last week after moving from St Petersburg to Shanghai are involved, said Paul Ferguson, network architect at Trend Micro.

Trend watched as bots controlled by Storm were seeded with new spam templates that included links to GeoCities, the free web hosting service. Storm then kicked off the new attacks. "This has developed into a full-fledged attack vector," Ferguson said.

The GeoCities pages are infected with JavaScript that redirects users to URLs hosted in Turkey, Ferguson said. The Turkish sites try to persuade the user to download a new codec that's supposedly necessary to view images on the GeoCities sites. According to Trend, the bogus codec, which claims to be for the 360-degree IPIX format, is actually an identity-stealing piece of malware.

Fake codecs are the latest choice of hackers, with several notable attacks recently relying on users' naivete about what a codec is, why it might be necessary and why they can be untrustworthy. The attacks last week that originated at hacked MySpace pages, including singer Alicia Keys' profile, touted phony codecs.

That Storm has turned to hyping codecs tells Ferguson that the botnet's controllers are nimble and flexible in their approach to social engineering. "They're intertwining codecs with other types of social engineering," he said.

By his reckoning, Storm has become much more than just a name for a malware family. "It's actually a covert channel of distribution for these [bad] guys," he said. "It's a communication network, a way for them to communicate information they want to seed," whether a round of spam touting penny stocks or a new piece of malware. "And it's a way for them to get what they've collected" from the now-compromised computers, he added. "It's a covert network."

Ferguson also said that there was evidence that known RBN customers were responsible for this newest use of Storm's botnet. "Some of the same RBN operators are involved," Ferguson said. "It's some of the same crew."