Monthly Archives: August 2010

A Cave Monster from Hell Wants Your Financial Data

Posted on by

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

By Andrew Brandt

A novel and pretty sneaky Trojan designed to steal financial data appeared on our radar screen last week. The Trojan, once installed on a victim’s computer, rootkits itself to prevent detection, then watches the victim’s browser for any attempt to connect to the secured, HTTPS login page of several online banks. When the victim visits the login page the Trojan has been waiting for, the Trojan generates a form that “hovers” over the login page asking for additional verification information.

“In order to provide you with extra security, we occasionally need to ask for additional information when you access your accounts online,” reads the popup window. Everybody needs extra security, right?

Of course, the additional information that the bank appears to be asking for is all information the bank already should have if you have an account there: The number on your credit and debit cards; a Social Security number; your date of birth and mother’s maiden name; The PIN code for your debit card and the security code printed on the front of any credit card issued by the bank.

The problem is, the form completely blocks the full page, preventing you from logging in — until you fill in all the fields in the form it displays. Then it sends that information (encrypted with SSL, mind you) to a server at the IP address 121.101.216.234, part of the address space allocated to Beijing Telecom.

Your bank may outsource some of its customer service tasks, but stealing your financial identity isn’t part of the normal services your bank provides.

Continue reading

Subscription Renewal Spam Points to Drive-by

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Dear Customers: Please be aware that a crew of Russian malware distributors are circulating a spam message which looks like a subscription renewal confirmation from Best Buy, allegedly for one of our products.

The linked text in the message, however, leads to a Web site which performs a drive-by download. Please don’t click the links in the message; If you have any questions about your subscription, please contact support.

The spammers appear to have done some homework. Some, but not enough. Best Buy currently sells our products through their online software subscription service. Note to spammers: If you’re going to try to hijack our trademark, the least you could do is get the name right. Best Buy doesn’t sell anything called Webroot Spysweeper with Antivirus Product. Nor do we.

The email message claims it is a notice that your subscription has been renewed, and includes a serial number (which doesn’t work) and a transaction date of July 17.

The link in the message leads to the Web site of a small bed and breakfast in New Zealand, which has been compromised. We’ve informed the owners of that Web site of the spam campaign and asked them to take down the page referenced in the spam message.

I guess we struck a nerve, hurt some sensitive malware author’s pwetty widdle feewings, and ended up a target for attack, one that falls down. Too bad, so sad.

Continue reading

Blackhat SEO of Google Images Links to Rogue AV

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of the United States was, instead, redirecting hapless Web surfers to pages that deliver an installer of a rogue antivirus in the Security Tool family of fine, fraudulent products.

What really caught our interest was how the hack behaved, depending on the operating system and browser you used. With each different browser configuration, we were treated to one of several different, specially crafted malware delivery Web pages.

I’m not sure when the attack started, but we started analyzing it at around 10am, Mountain time. By late afternoon, the sites were offline and the attack no longer worked.

To test the extent of the hack, we played around with the manipulated search results using five different browsers: Internet Explorer 6 and 8, Safari 5, Google Chrome, and Firefox. All the browsers were set up with default settings in an otherwise identical installation of Windows XP SP3. We then searched for USA Map and clicked the second result that appeared under the header “Images for usa map.” (All but the first image result that appeared on that first page of results linked to the malicious Web site.)
Continue reading