Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr   Jun »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for May 15th, 2012




    We recently found some suspicious looking URLs which suggest that a malicious file named ChromeSetup.exe is hosted in domains like Facebook and Google.

    The finding, which we were able to flag during our analysis of data processed by the Trend Micro™ Smart Protection Network™ definitely caught our attention.

    Looking at data from the Smart Protection Network™, we were able to find 3 different binary files that appear to be downloaded from the following URLs:

    • hxxp://br.msn.com/ChromeSetup.exe
    • hxxp://www.facebook.com.br/ChromeSetup.exe
    • hxxp://www.facebook.com/ChromeSetup.exe
    • hxxp://www.globo.com.br/ChromeSetup.exe
    • hxxp://www.google.com.br/ChromeSetup.exe
    • hxxp://www.terra.com.br/ChromeSetup.exe

    When we took a closer look at the downloads, we identified that all downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains. What’s more noteworthy is the fact were seeing access in clients from the Latin American region, mostly in countries Brazil and Peru.

    An analysis of the file ChromeSetup.exe done by my colleagues Roddell Santos and Roland dela Paz verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ.

    Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.

    When a user opens a targeted bank’s site, TSPY_BANKER.EUIQ intercepts the page request and displays the following message, tricking users into thinking that the website is loading security software where in fact it is already redirecting users to the spoofed banking website:

    It then opens Internet Explorer to go to the new link depending on the browser’s title. Screenshot of a fake site is below. Notice the “_” before the name in the window title, as well as the URL of the banking site:

    TROJ_KILSRV.EUIQ, a component of this TSPY_BANKER.EUIQ, on the other hand, uninstalls a software called GbPlugin–a software that protects Brazilian bank customers when performing online banking transactions. It does this through the aid of gb_catchme.exe–a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas.

    Further Investigation

    A more in-depth investigation allowed us to gain access on the page index where TSPY_BANKER.EUIQ downloaded configuration files from. The same index page hosted the three binary files that the malware used aside from the configuration file that we saw in the same location.

    Roland analyzed the IP to where TSPY_BANKER.EUIQ sends the infected system’s IP address and operating system name, and found a panel that appears to show logs related to the attack.

    During the time the C&C panel was analyzed, we have observed an abrupt increase on the registered logs. In fact, the phone home logs jumped from around 400 to nearly 6000 in a span of 3 hours. These logs are comprised of 3000 unique IP addresses which translates to the number of machines infected by the malware.

    The server, unfortunately, soon became inaccessible. However, the abrupt increase in the malware C&C logs could either mean that there was an outbreak of the malware or they might be migrating their C&C server at the time. It also appears that the attack is targeting Brazilian users and it is targeting Brazilian banks.

    Since the start of this analysis, we have also been seeing variations of the BANKER malware we analyzed during this investigation in the wild. The first few samples that we got installed the three components separately, but now we are getting new samples that are able to install the different components in one package. It looks like this malware is still under development and we may still see improvements in future variants. Roland also mentions that he came across a likely related C&C that surface last October 2011 which indicates that the perpetrators behind this threat aren’t new in the scene.

    Missing Piece

    While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware. We will continue our investigation related to this incident and will update this blog with our findings.

    Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google.

    This is where a telemetry such as the Trend Micro™ Smart Protection Network™, which provides intelligence derived from a global network of threat data, becomes vital. This technology not only allows us to identify and correlate emerging attacks worldwide, but also lets us instantly deploy the proper threat mitigation solutions on customer environments.

     



    As we do more and more things online and with our digital devices, one thing is sure: we accumulate more and more digital junk. Movies we don’t watch, songs we don’t listen to, apps we don’t use.

    How much digital clutter do users have? Quite a lot, as it turns out. On average, people have far more data – in the form of music, movies, and files – than they can use or consume. On average, they use only about a fifth of what they actually have. They have enough music for almost two full weeks of non-stop music listening.

    The digital clutter extends to the mobile space and social media, too. If you’re on Facebook or Twitter chances are many of your friends and followers aren’t people you know, if they’re even people at all! Our full findings are in latest infographic Mapping Out Your Digital Life, which was featured on Mashable.

    Now that you know how much digital clutter you have, what should you do about it? For that, you can consult our previous e-guide, Putting an End to Digital Clutter.

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice