“Dial ‘M’ for malware” sounds like a good phrase to sum this up…
TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico. True to the growing complexity of Web threats, the weapons of choice include social engineering, malware download, pharming, and — here’s the clincher — a DSL modem.
Yes, the attack begins with the exploitation of a known vulnerability in 2Wire modems. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk.
According to Trend Micro Engineer Juan Pablo Castro, the said exploit arrives with a newsy email message similar to this one:
The subject and the headline of the article roughly translate to “EU gave 40 years to Mexican Main narco operator of the Tijuana Cartel.”
The said message includes the following exploit code:
Notice that the code is embedded in an “img src” tag. This means that once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site.
Thus, for affected users who wish to access the banking site, even typing banamex.com — which is a legitimate, non-malicious, fully qualified domain name (FQDN) — leads to the fraudulent site. I think we all know how the rest of the story turns out…
Unfortunately, that’s not all. The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR archive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe, which Trend Micro detects as TROJ_QHOST.FX.
You got to hand it to these criminals: they’re making sure no stone is left unturned, no security hole unexploited… In any case, Trend Micro already blocks all related malicious URLs/IPs with its Web Threat Protection. Even users whose DNS servers may have been poisoned will receive a notification of a possible pharming activity (see image below).
Of course, smart computing practices are still the best policy. As the Web (along with its threats) becomes — like I said — more and more complex, users should arm themselves with all the knowledge and precautions they can get.
Additional information provided by TrendLabs Content Security