Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    “Dial ‘M’ for malware” sounds like a good phrase to sum this up…

    TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico. True to the growing complexity of Web threats, the weapons of choice include social engineering, malware download, pharming, and — here’s the clincher — a DSL modem.

    Yes, the attack begins with the exploitation of a known vulnerability in 2Wire modems. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk.

    Attack Flow

    According to Trend Micro Engineer Juan Pablo Castro, the said exploit arrives with a newsy email message similar to this one:

    Sample email

    The subject and the headline of the article roughly translate to “EU gave 40 years to Mexican Main narco operator of the Tijuana Cartel.”

    The said message includes the following exploit code:

    Exploit code

    Notice that the code is embedded in an “img src” tag. This means that once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for — the Web site of one of the largest banks in Mexico — to a fraudulent site.

    Thus, for affected users who wish to access the banking site, even typing — which is a legitimate, non-malicious, fully qualified domain name (FQDN) — leads to the fraudulent site. I think we all know how the rest of the story turns out…

    Unfortunately, that’s not all. The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR archive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe, which Trend Micro detects as TROJ_QHOST.FX.

    You got to hand it to these criminals: they’re making sure no stone is left unturned, no security hole unexploited… In any case, Trend Micro already blocks all related malicious URLs/IPs with its Web Threat Protection. Even users whose DNS servers may have been poisoned will receive a notification of a possible pharming activity (see image below).

    Pharming detected

    Of course, smart computing practices are still the best policy. As the Web (along with its threats) becomes — like I said — more and more complex, users should arm themselves with all the knowledge and precautions they can get.

    Additional information provided by TrendLabs Content Security

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice