Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Ranieri Romera (Senior Threat Researcher)

    Cybercriminals in Brazil appear to have come up with a new tactic to lure users into giving up their login information. A few days ago, we found a post on a Brazilian forum offering a browser that could access the website of the Banco do Brasil without using the needed security plugin.

    Figure 1. Homemade browser ad

    Users that clicked the download link download a zip file. Inside this compressed file, there two executable files: one was the browser itself, which is called Navegador BB, and another which has the file name Plugin_Navegador_2.1.3.exe. (We detect these as PE_PARITE.A and WORM_LUDER.USR, respectively.)

    The third file is a text file which contains instructions to run Plugin_Navegador_2.1.3.exe first, and then run the browser. The “plugin” actually steals the user’s bank information. Meanwhile, the browser fools the bank site into not needing the usual security plugin by pretending that it is a mobile browser, as can be seen by examining the User-Agent HTTP header (click on the thumbnail to see the full strings):

    Figure 2. Strings used to spoof the User-Agent header

    It’s also worth noting that this homemade browser doesn’t even have an address bar, or any other place to enter a URL. It only has a single button that sends the user directly to the bank’s site.

    Figure 3. The homemade browser accessing the mobile Banco de Brasil site

    This is not the first time that cybercriminals have tried to fool users in Brazil with fake apps to make accessing sites more convenient. Previously, we found an application that claimed to get the credit scores and criminal records of Brazilians.

    One more thing to note. The author of this “browser” also created a version of BANCOS that ““outsourced” its distribution to lower level cybercriminals.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.


    Traditionally, Brazil is known for being the home of BANCOS, which steals the banking information of users and is generally limited to the Latin American region. Other banking Trojans like ZeuS, SpyEye, and CARBERP, which are common in other regions, are not traditionally used by Brazilian cybercriminals and not aimed at Brazilian users either.

    However, that might be changing. In a local hacker forum, we saw a post where somebody was selling some rather well-known malware kits:

    • Zeus version 3
    • SpyEye version 1.3.48
    • Citadel version 1.3.45
    • Carberp (“last version with all resources”)
    • CrimePack Exploit kit version 3.1.3 (leaked version)
    • Sweet Orange exploit kit version 1.0
    • Neutrino exploit kit
    • Redkit exploit kit

    In addition, if an interested buyer purchases any of the kits listed above, he will also get the kit for SpyEye version 1.3.45 for free.


    Figure 1. Screenshot of the online ad

    It’s worth noting too that the prices posted are extraordinarily attractive. For Zeus and CrimePack, a potential buyer needs only to shell out 350 Brazilian reais (175 US dollars) each. SpyEye and Carberp cost around 150 reais (75 US dollars), while a Citadel kit costs 100 reais (50 US dollars).

    In a later update, the guy also advertised that he had some phishing scam kits too. The targets include well-known entities like PayPal, Bank of America, HSBC and SCI Liberty Reverse (a Costa Rica-based payment processor) and only costs 50 reais (25 US dollars) per kit.


    Figure 2. Updated advertising phishing kits

    Read the rest of this entry »

    Posted in Malware | Comments Off on New Crimeware In BANCOS Paradise

    With today’s robust technology, it is now possible for users to remotely control their home devices via the Internet. However, as this technology gains a foothold, cybercrime is not far behind.

    In our 2013 Security Predictions, our Chief Technology Officer (CTO) Raimund Genes predicted that with digital technology becoming more integrated in our lives, we may be seeing threats in unlikely places. In particular, as more home devices and appliances are designed to access the Internet, they can become new venues for unexpected threats.

    In my recent post, I mentioned that the bulk of research initiated on Internet-enabled devices has been on identifying vulnerabilities. Though done to provide better security for end users, the flip side is we’re seeing novel ways to steal information and money. This is an alarming prospect, as majority of these home gadgets have basic IP configuration with limited security options. What’s more, most end users are unaware of these devices’ vulnerability.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on The Dark Side of Home Automation

    Nowadays, we no longer use just our computers to connect to the Internet. We have our smartphones and our tablets that pretty much put the Internet right into our pockets. We are so connected to it, to the point that even gadgets that used to be “offline” can now be connected to the web. Gadgets such as media centers, game consoles, TVs, home automation systems, surveillance cameras, digital cameras, and the like are now Internet-enabled, making it easier than ever to connect. Very convenient, yes, but now we face this very important question: how safe is it to connect these devices to the Internet?

    In our recently released 2013 predictions, Raimund mentioned that we will see more security threats appear in unexpected places. I find this forecast valid. Recent history has showed to us that the infrastructure used for new Internet-enabled devices can be accessed by third parties. We’ve seen researchers prove that they can gain unauthorized access to Internet-enabled devices such as printers, heart devices, and even coffee makers. A more recent example of this is a vulnerability found in Samsung’s Smart TV which can be abused to steal information and even “root” the TV.

    So far, the focus of research around this is on locating vulnerabilities. However, while part of the research is done to provide better security for the end users, the other part accounts for research in order to identify new ways to steal money and information.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on New Gadget + the Internet = New Threat

    We recently received a sample of the bot client that was used by hacker group Lulzsec Brazil in conducting distributed denial-of-service (DDoS) attacks against Brazilian websites. Those affected included the websites of both the Brazilian government and the president. The said attack is not the first of its kind from the group, as the main LulzSec hacking group reportedly attacked other sites, including those of the U.K. Serious Organized Crime Agency, the U.S. Senate, and Sony.

    The Lulzsec hacking group is one of the two hacking groups that have been recently making the news, along with Anonymous. The two groups recently declared war against governments, banks, and corporations all over the world and accused the said organizations of corruption. They also called other hackers to join their cause, which they dubbed “Operation Anti-Security.”

    The bot client, which we now detect as BKDR_ZOMBIE.SM, connects to a certain Internet Relay Chat (IRC) server and joins a specific IRC channel to receive commands.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice