Virus Coordinator for Trend Micro Latin America Jose Lopez Tello recently discovered a very interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month.
Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico.
However, instead of using the DNS poisoning method as the past attacks, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider.
Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting eCard that a user receives via email. This eCard contains a link, which when clicked downloads the malicious file Gusanito.exe.
Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer using the following simple script:
dns name= source=static addr=[IP address] register=PRIMARY
Thus, when the user attempts to access www.banamex.com, he is redirected to a phishing Web site (which is actually located at the same fake DNS server).
The Botnet client code (BKDR_VBBOT.AE) also opens an IRC connection to the yet another, different US-based host and channel to wait for commands from its botmaster, which is intended actually to send more of the same, original, bogus eCard greeting emails.
As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting eCards at this very moment. “In fact, you can see all the list emails that will be targeted,” says Tello.
The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this.
(Thanks to Paul Ferguson for additional technical background.)
-Update: March 29, 2008-
BKDR_VBBOT.AE was renamed to WORM_KELVIR.EI.