Vulnerabilities / Threats
5/17/2012
12:52 PM
Connect Directly
RSS
E-Mail
50%
50%

Fake Google Chrome Installer Steals Banking Details

New polymorphic Android malware, meanwhile, disguises itself as a free virus scanner.

Beware fake Chrome installers for Windows.

A file named "ChromeSetup.exe" is being offered for download on various websites, and the link to the file appears to be legitimately hosted on Facebook and Google domains. In reality, the software won't install Google's Chrome browser, but an information-stealing Trojan application known as Banker, according to antivirus vendor Trend Micro.

Once the malware--which appears to be targeting Latin American users, especially in Brazil and Peru--is executed, it relays the IP address and operating system version to one of two command-and-control (C&C) servers, then downloads a configuration file. After that, whenever a user of the infected PC visits one of a number of banking websites, the malware intercepts the HTTP request, redirects the user to a fake banking page, and also pops up a dialog box informing the user that new security software will be installed.

In fact, the malware has been designed uninstall GbPlugin, which is "software that protects Brazilian bank customers when performing online banking transactions," said Trend Micro security researcher Brian Cayanan in a blog post. "It does this through the aid of gb_catchme.exe--a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas."

[ Hacktivists take down the Kremlin's website in protest of Putin reelection. Read more at Anonymous Targets Russian Sites For Putin Protest. ]

Trend Micro gained access to a log file associated with the C&C servers that were managing this strain of Banker and saw the number of PCs infected with the malware quickly multiply. "During the time the C&C panel was analyzed ... the phone-home logs jumped from around 400 to nearly 6,000 in a span of 3 hours. These logs are comprised of 3,000 unique IP addresses, which translates [into] the number of machines infected by the malware," Cayanan said. But the C&C servers--first spotted in use in October 2011--soon became inaccessible. That suggests that attackers were moving to new C&C servers, he said, noting that whoever is behind Banker will likely continue to enhance the malicious application’s capabilities.

For now, however, Cayanan said Trend Micro was continuing to study the malware, noting that "the one missing piece" of information is how the malware "is able to redirect [users] from normal websites like Facebook or Google to its malicious IP, to download malware."

In other malware news, GFI Labs is warning that a new piece of Android malware masquerades as free antivirus software. Advertised via Twitter spam promoting links to "sexi gerl see," among other phrases, the malicious application has been available via websites sporting a dot-TK (.tk) address, which is the top-level domain name for Tokelau, a New Zealand territory in the South Pacific.

Clicking on the proffered Twitter link takes users to a Russian-language Web page--hosted in the Ukraine--that advertises numerous products, including fake updates for Opera and Skype, as well as an "Anit-Virus Scanner." [sic] "Users who accessed and used this purported scanner are then given the option to download and install a file, which [varies] depending on whether the target is a PC or a phone," said GFI Labs researcher Jovi Umawing in a blog post. Interestingly, the PC version--delivered as a Java archive file--will fail to execute. But the APK (Android application package) version will install on an Android device. The application's Android icon, meanwhile, was copied from security firm Kaspersky.

Many security tools will have difficulty spotting the malicious APK file. According to Bulgarian antivirus researcher Vesselin Bontchev at FRISK Software, "the fake AV file is actually server-side polymorphic." Polymorphic malware is designed to change every time it gets downloaded, which generates malware with identical attack capabilities but different fingerprints. That makes spotting the malware more difficult for signature-based security defenses.

"If you download it several times in a row, you'll get different APK files," said Bontchev. He said it's also likely that the malware developer is updating the attack code every few days to make the malware more difficult to spot.

What's the purpose of the Anit-Virus Scanner malware? As with most online attacks, blame the software on criminals trying to make a fast buck (or in this case, ruble). "If you went ahead and installed the app onto your mobile, it would attempt to send expensive SMS messages to premium rate services," read a blog post from Graham Cluley, senior technology consultant at Sophos, who has also been studying the malware.

As with most malware, the fake antivirus scanner also has the ability to download and install further code from the Internet onto your Android smartphone, thus potentially allowing attackers to exploit devices, or the data they store, in numerous other ways.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.