Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Scammer tying in on disasters - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scammer tying in on disasters

We saw them before, scum trying to make money off of disasters in other people's lives. And an aircraft crash in Brazil is not different. Start with a spammed campaign promoting a website, the website promoting clicking on tiny thumbnail images that lead to malware. Not cool.

Find courtesy of Websense, who has an article about it.

Here is what the antivirus vendors think of the malware (virustotal):

[ file data ]
size 274462
md5 fca50b317ac7648b65c80a2f08ede9ef
sha1 bd85d52e616ab14bef3bfe42e9d44c0820d895cf

[ scan result ]
AntiVir 7.2.0.22/20061003 found [DR/Spy.Bancos.YT]
Authentium 4.93.8/20061002 found [W32/Banker.XCA]
Avast 4.7.892.0/20061003 found nothing
AVG 386/20061003 found nothing
BitDefender 7.2/20061003 found [Generic.Banker.VB.11DF9CB6]
CAT-QuickHeal 8.00/20061003 found nothing
ClamAV devel-20060426/20061003 found nothing
DrWeb 4.33/20061003 found [BackDoor.Generic.1437]
eTrust-InoculateIT 23.73.11/20061002 found nothing
eTrust-Vet 30.3.3113/20061003 found nothing
Ewido 4.0/20061003 found nothing
F-Prot 3.16f/20061002 found [security risk named W32/Banker.XCA]
F-Prot4 4.2.1.29/20061002 found [W32/Banker.XCA]
Fortinet 2.82.0.0/20061003 found [Spy/Bancos]
Ikarus 0.2.65.0/20061003 found [Backdoor.Win32.Radmin.w]
Kaspersky 4.0.2.24/20061003 found [Trojan-Spy.Win32.Bancos.yt]
McAfee 4865/20061003 found nothing
Microsoft 1.1603/20061003 found nothing
NOD32v2 1.1787/20061003 found [probably a variant of  Win32/Spy.Bancos.U ]
Norman 5.80.02/20061003 found [Bancos.KVY]
Panda 9.0.0.4/20061003 found nothing
Sophos 4.10.0/20061003 found nothing
Symantec 8.0/20061003 found nothing
TheHacker 6.0.1.090/20061003 found [Trojan/Spy.KeyLogger.bp]
UNA 1.83/20061003 found nothing
VBA32 3.11.1/20061003 found [Trojan-Spy.Win32.Bancos.yt]
VirusBuster 4.3.7:9/20061003 found nothing

IOW: a bank aware keylogging piece of malware that's not detected by some of the big name vendors.

The important lesson to learn is not to click on links in email or IM, or any other way you could be social engineered into doing things you don't want to do.  That however needs to be translated not just on the receiving end into not following links we're given, but also on the sending end by not offering friendly links to our friends.

e.g.:

--
Swa Frantzen -- Section 66
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!