From Chris Mitchell at SophosLabs Blog:
Today a piece of malware (Troj/Bancos-BDF) crossed my desk that at first did not look like a Banker Trojan at all. It eventually turned out to be one of the most nefarious and brazen Banker Trojans I have ever analysed and it managed to do it all with only one small snippet of code. What it did, was add 8 hostnames to the local Windows HOSTS file. That’s it.
The HOSTS files is a place where Windows looks when it wants to resolve a host name to an IP address. Usually this is handled by your ISP’s DNS servers but if Windows finds a matching entry in the HOSTS file it doesn’t bother looking any further. Now this has many uses but in this case all of the host names belonged to a single South American banking institution and all of them redirected to a single IP address.
The Trojan was probably quite easy to write. Coding the fake website takes more time, which probably explains why they only targeted a single bank. Quite nasty. They criminals could pull a similar stunt on someone’s router too if they leave the default password. The average user would never suspect.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment