New polymorphic Android malware, meanwhile, disguises itself as a free virus scanner.

Mathew J. Schwartz, Contributor

May 17, 2012

4 Min Read

Beware fake Chrome installers for Windows.

A file named "ChromeSetup.exe" is being offered for download on various websites, and the link to the file appears to be legitimately hosted on Facebook and Google domains. In reality, the software won't install Google's Chrome browser, but an information-stealing Trojan application known as Banker, according to antivirus vendor Trend Micro.

Once the malware--which appears to be targeting Latin American users, especially in Brazil and Peru--is executed, it relays the IP address and operating system version to one of two command-and-control (C&C) servers, then downloads a configuration file. After that, whenever a user of the infected PC visits one of a number of banking websites, the malware intercepts the HTTP request, redirects the user to a fake banking page, and also pops up a dialog box informing the user that new security software will be installed.

In fact, the malware has been designed uninstall GbPlugin, which is "software that protects Brazilian bank customers when performing online banking transactions," said Trend Micro security researcher Brian Cayanan in a blog post. "It does this through the aid of gb_catchme.exe--a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas."

[ Hacktivists take down the Kremlin's website in protest of Putin reelection. Read more at Anonymous Targets Russian Sites For Putin Protest. ]

Trend Micro gained access to a log file associated with the C&C servers that were managing this strain of Banker and saw the number of PCs infected with the malware quickly multiply. "During the time the C&C panel was analyzed ... the phone-home logs jumped from around 400 to nearly 6,000 in a span of 3 hours. These logs are comprised of 3,000 unique IP addresses, which translates [into] the number of machines infected by the malware," Cayanan said. But the C&C servers--first spotted in use in October 2011--soon became inaccessible. That suggests that attackers were moving to new C&C servers, he said, noting that whoever is behind Banker will likely continue to enhance the malicious application’s capabilities.

For now, however, Cayanan said Trend Micro was continuing to study the malware, noting that "the one missing piece" of information is how the malware "is able to redirect [users] from normal websites like Facebook or Google to its malicious IP, to download malware."

In other malware news, GFI Labs is warning that a new piece of Android malware masquerades as free antivirus software. Advertised via Twitter spam promoting links to "sexi gerl see," among other phrases, the malicious application has been available via websites sporting a dot-TK (.tk) address, which is the top-level domain name for Tokelau, a New Zealand territory in the South Pacific.

Clicking on the proffered Twitter link takes users to a Russian-language Web page--hosted in the Ukraine--that advertises numerous products, including fake updates for Opera and Skype, as well as an "Anit-Virus Scanner." [sic] "Users who accessed and used this purported scanner are then given the option to download and install a file, which [varies] depending on whether the target is a PC or a phone," said GFI Labs researcher Jovi Umawing in a blog post. Interestingly, the PC version--delivered as a Java archive file--will fail to execute. But the APK (Android application package) version will install on an Android device. The application's Android icon, meanwhile, was copied from security firm Kaspersky.

Many security tools will have difficulty spotting the malicious APK file. According to Bulgarian antivirus researcher Vesselin Bontchev at FRISK Software, "the fake AV file is actually server-side polymorphic." Polymorphic malware is designed to change every time it gets downloaded, which generates malware with identical attack capabilities but different fingerprints. That makes spotting the malware more difficult for signature-based security defenses.

"If you download it several times in a row, you'll get different APK files," said Bontchev. He said it's also likely that the malware developer is updating the attack code every few days to make the malware more difficult to spot.

What's the purpose of the Anit-Virus Scanner malware? As with most online attacks, blame the software on criminals trying to make a fast buck (or in this case, ruble). "If you went ahead and installed the app onto your mobile, it would attempt to send expensive SMS messages to premium rate services," read a blog post from Graham Cluley, senior technology consultant at Sophos, who has also been studying the malware.

As with most malware, the fake antivirus scanner also has the ability to download and install further code from the Internet onto your Android smartphone, thus potentially allowing attackers to exploit devices, or the data they store, in numerous other ways.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights