Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files (see Figure 1).

    The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components—one steals banking-related information while the other steals email account information (see Figure 2).

    Click for larger view Click for larger view

    Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:

    • {BLOCKED}unicaobr.com/phps/procopspro.php
    • {BLOCKED}unicaobr.com/working/lisinho.php

    Looking for more details on webcomunicaobr.com revealed the following details:

    IP: 69.162.102.130 Hosted in the USA
    ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
    ns1.brasilrevenda.com
    ns2.brasilrevenda.com

    Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far (see Figure 3), a list of PHP servers where stolen information is sent (see Figure 4), and a list of files that contained encrypted information downloaded by infected hosts (see Figure 5).

    Click for larger view Click for larger view
    Click for larger view

    More spam campaigns from the said Web server may be seen in the days to come but Trend Micro product users need not worry as they are protected by the Smart Protection Network™, which blocks spammed messages and user access to malicious sites and domains and prevents the download of malicious files detected by Trend Micro as TSPY_BANKER.OCN and TSPY_BANKER.MTX.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice