Vulnerabilities / Threats
5/17/2012
12:52 PM
Connect Directly
RSS
E-Mail
50%
50%

Fake Google Chrome Installer Steals Banking Details

New polymorphic Android malware, meanwhile, disguises itself as a free virus scanner.

Beware fake Chrome installers for Windows.

A file named "ChromeSetup.exe" is being offered for download on various websites, and the link to the file appears to be legitimately hosted on Facebook and Google domains. In reality, the software won't install Google's Chrome browser, but an information-stealing Trojan application known as Banker, according to antivirus vendor Trend Micro.

Once the malware--which appears to be targeting Latin American users, especially in Brazil and Peru--is executed, it relays the IP address and operating system version to one of two command-and-control (C&C) servers, then downloads a configuration file. After that, whenever a user of the infected PC visits one of a number of banking websites, the malware intercepts the HTTP request, redirects the user to a fake banking page, and also pops up a dialog box informing the user that new security software will be installed.

In fact, the malware has been designed uninstall GbPlugin, which is "software that protects Brazilian bank customers when performing online banking transactions," said Trend Micro security researcher Brian Cayanan in a blog post. "It does this through the aid of gb_catchme.exe--a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas."

[ Hacktivists take down the Kremlin's website in protest of Putin reelection. Read more at Anonymous Targets Russian Sites For Putin Protest. ]

Trend Micro gained access to a log file associated with the C&C servers that were managing this strain of Banker and saw the number of PCs infected with the malware quickly multiply. "During the time the C&C panel was analyzed ... the phone-home logs jumped from around 400 to nearly 6,000 in a span of 3 hours. These logs are comprised of 3,000 unique IP addresses, which translates [into] the number of machines infected by the malware," Cayanan said. But the C&C servers--first spotted in use in October 2011--soon became inaccessible. That suggests that attackers were moving to new C&C servers, he said, noting that whoever is behind Banker will likely continue to enhance the malicious application’s capabilities.

For now, however, Cayanan said Trend Micro was continuing to study the malware, noting that "the one missing piece" of information is how the malware "is able to redirect [users] from normal websites like Facebook or Google to its malicious IP, to download malware."

In other malware news, GFI Labs is warning that a new piece of Android malware masquerades as free antivirus software. Advertised via Twitter spam promoting links to "sexi gerl see," among other phrases, the malicious application has been available via websites sporting a dot-TK (.tk) address, which is the top-level domain name for Tokelau, a New Zealand territory in the South Pacific.

Clicking on the proffered Twitter link takes users to a Russian-language Web page--hosted in the Ukraine--that advertises numerous products, including fake updates for Opera and Skype, as well as an "Anit-Virus Scanner." [sic] "Users who accessed and used this purported scanner are then given the option to download and install a file, which [varies] depending on whether the target is a PC or a phone," said GFI Labs researcher Jovi Umawing in a blog post. Interestingly, the PC version--delivered as a Java archive file--will fail to execute. But the APK (Android application package) version will install on an Android device. The application's Android icon, meanwhile, was copied from security firm Kaspersky.

Many security tools will have difficulty spotting the malicious APK file. According to Bulgarian antivirus researcher Vesselin Bontchev at FRISK Software, "the fake AV file is actually server-side polymorphic." Polymorphic malware is designed to change every time it gets downloaded, which generates malware with identical attack capabilities but different fingerprints. That makes spotting the malware more difficult for signature-based security defenses.

"If you download it several times in a row, you'll get different APK files," said Bontchev. He said it's also likely that the malware developer is updating the attack code every few days to make the malware more difficult to spot.

What's the purpose of the Anit-Virus Scanner malware? As with most online attacks, blame the software on criminals trying to make a fast buck (or in this case, ruble). "If you went ahead and installed the app onto your mobile, it would attempt to send expensive SMS messages to premium rate services," read a blog post from Graham Cluley, senior technology consultant at Sophos, who has also been studying the malware.

As with most malware, the fake antivirus scanner also has the ability to download and install further code from the Internet onto your Android smartphone, thus potentially allowing attackers to exploit devices, or the data they store, in numerous other ways.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.