Massive phishing attack and information theft ...
Massive phishing attack and information theft ...
08/30/2005. - Starting with Downloader.CYZ, a series of malware specimens launch a succession of actions to steal all types of confidential user information.
PandaLabs has detected an Internet address specially-crafted to launch a complex combined attack which can employ a number of different malware specimens. The greatest danger of this attack is that it begins simply when users visit a certain Internet address, designed to exploit possible vulnerabilities on computers connecting to the page.
Visitors to this site will see an encrypted JavaScript which really hides another code. This code uses specially-crafted objects and exploits vulnerabilities in order to try to download Trj/Downloader.CYZ onto the computer.
When this Trojan runs, it tries to give itself debug privileges over other programs, which would enable it to terminate processes, create remote execution threads, etc. It then copies itself to %temp%sstchst.exe and executes, deleting the initial file. It also tries to download, execute and save on the system two files from other Web addresses, file1.exe and file2.exe, which contain two malicious codes, Trj/Banker/VY and Trj/Dumarin.L. To prevent users from being warned of the danger, the Trojan is also able to close windows normally associated with security warnings. On each infection, Downloader.CYZ connects to a website that would seem to act as a counter for the number of infections.
Trj/Banker/VY copies itself to the system under the name nbthlp.exe, creating a Windows registry entry to ensure it is executed at every startup. However, the danger of this Trojan lies in the fact that it is designed to intercept information entered by users when connecting to web pages related to numerous financial entities around the world.
It achieves this through two actions:
- It launches a DNS request to resolve a domain, and through this it obtains addresses of hundreds of spoofed bank web pages in order to carry out phishing attacks. It then modifies the HOSTS file, creating hundreds of entries corresponding to the banking institutions that it wants to control. This means that when the user requests these pages, they are presented with the spoofed sites for which the Trojan has managed to obtain addresses.
- On the other hand, the Trojan has a list of character strings in its code, grouped by banking entity: if the user were to enter any combination of these character strings, they would be redirected to the simulated bank website, from which the fraud could be carried out.
The reasoning behind this sophistication of phishing techniques could be to avoid the problem of variable addresses, which could not be overcome simply by modifying the HOSTS file. In this way, if all variable addresses have a common component, they could also be attacked.
Trj/Dumarin.L on the other hand, leaves a series of files on the compromised computer, each with a specific role:
- One of the files, detected as Trj/MiniLD.C, is injected in all system processes, allowing Dumarin.L to inspect the titles of certain windows and depending on these, capture information and write it to a log file.
- The second of the files is the indicator of the computer.
- The third of the files saves information copied by the user on the clipboard.
- Finally, the fourth operates as a backdoor, allowing the Trojan to receive remote commands. In addition, to avoid process-oriented firewalls, Dumarin.L creates an Internet Explorer child process, which it injects itself into and listens from.
All information gathered is collected in a temporary folder which is then sent to a remote server. At the time of writing, this information is in excess of 20 MB and contains highly confidential information that could allow anyone to access online accounts of banks, Skype, MS Passport, webmail...
According to Luis Corrons, director of PandaLabs: ˝If one thing stands out about this attack, it is the careful preparation involved. The Banker.VY Trojan monitors numerous bank websites and convincingly spoofs them, demonstrating some extensive research work on behalf of the creator. Dumarin.L on the other hand, can steal information from numerous applications. It would seem clear then that the trend among malware developers to make a living from their creations is continuing.˝
To prevent any of these Trojans from entering your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these new malicious codes.
Panda Software clients that don´t yet have TruPreventTM Technologies already have the updates available to install them along with their antivirus and ensure they have prevented protection against unknown viruses and intruders. For users with a different antivirus program installed, Panda TruPrevent™ Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the antivirus is updated, decreasing the risk of infection. More information aboutTruPreventTM Technologies at http://www.pandasoftware.com/truprevent
To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.pandasoftware.com/home/default.asp. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.
Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software´s website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.
For further information about these and other computer threats, visit Panda Software´s Encyclopedia.
About PandaLabs
Since 1990, PandaLabs´ mission has been to analyze new threats as soon as possible to ensure that our clients are safe. Several teams specialized in each specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc.) work 24x7 to offer global coverage. To do this they are supported by TruPrevent™ Technologies, a truly global early warning system made up of sensors that are strategically distributed and neutralize new threats and send them to PandaLabs for in-depth analysis. According to AV-Test.org, PandaLabs is the fastest in the industry to offer complete updates (more information at www.pandasoftware.com/pandalabs.asp).
Oxygen3 24h-365d
by Panda Software
Back
- Microsoft revamps Bing to include interactive social sidebar
The three-column interface also includes a ´snapshot´ for more direct interaction with products and places.
- Adobe Creative Cloud Now Available
Two New Touch Apps for iOS and Adobe Muse Also Shipping
- Acer G6 series - Super-slim design, inspiring performance
- Come Explore the VIA Smart Ecosystem at Computex 2012
- HP tries to beat ultrabook pricing with thin-and-light Sleekbooks
- MasterCard´s PayPass Wallet will span online, mobile, in-store shopping
- Google infringed Java copyrights in Android, jury finds
- After false alarm, no verdict Friday in Oracle Google
- Lenovo building industrial center to develop tablets, smartphones
- Facebook´s valuation for IPO will be lower than initially expected
Member of IVSZ
Member of SZEK
Acer Affinity Gold partner
Dell Registered Partner
OKI System Shinrai Partner
XEROX Viszonteladó
APC megbízható szállító
EATON Authorized Partner
Cisco partner
Symantec Software Partner
ESET Partner
FUJITSU partner
LENOVO Premium Partner
IBM Business Partner
PARTNERS: Computerworld.hu | GameStar.hu | PCWorld.hu | SG.hu | PC Guru | Hitel