Last Updated on Friday, 18 May 2012 17:38 Published on Friday, 18 May 2012 17:38
Beware fake Chrome installers for Windows.
A file named "ChromeSetup.exe" is being offered for download on various websites, and the link to the file appears to be legitimately hosted on Facebook and Google domains. In reality, the software won't install Google's Chrome browser, but an information-stealing Trojan application known as Banker, according to antivirus vendor Trend Micro.
Once the malware--which appears to be targeting Latin American users, especially in Brazil and Peru--is executed, it relays the IP address and operating system version to one of two command-and-control (C&C) servers, then downloads a configuration file. After that, whenever a user of the infected PC visits one of a number of banking websites, the malware intercepts the HTTP request, redirects the user to a fake banking page, and also pops up a dialog box informing the user that new security software will be installed.
In fact, the malware has been designed uninstall GbPlugin, which is "software that protects Brazilian bank customers when performing online banking transactions," said Trend Micro security researcher Brian Cayanan in a blog post. "It does this through the aid of gb_catchme.exe--a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas."
Trend Micro gained access to a log file associated with the C&C servers that were managing this strain of Banker and saw the number of PCs infected with the malware quickly multiply. "During the time the C&C panel was analyzed ... the phone-home logs jumped from around 400 to nearly 6,000 in a span of 3 hours. These logs are comprised of 3,000 unique IP addresses, which translates [into] the number of machines infected by the malware," Cayanan said. But the C&C servers--first spotted in use in October 2011--soon became inaccessible. That suggests that attackers were moving to new C&C servers, he said, noting that whoever is behind Banker will likely continue to enhance the malicious application’s capabilities.
For now, however, Cayanan said Trend Micro was continuing to study the malware, noting that "the one missing piece" of information is how the malware "is able to redirect [users] from normal websites like Facebook or Google to its malicious IP, to download malware."
In other malware news, GFI Labs is warning that a new piece of Android malware masquerades as free antivirus software. Advertised via Twitter spam promoting links to "sexi gerl see," among other phrases, the malicious application has been available via websites sporting a dot-TK (.tk) address, which is the top-level domain name for Tokelau, a New Zealand territory in the South Pacific.
Clicking on the proffered Twitter link takes users to a Russian-language Web page--hosted in the Ukraine--that advertises numerous products, including fake updates for Opera and Skype, as well as an "Anit-Virus Scanner." [sic] "Users who accessed and used this purported scanner are then given the option to download and install a file, which [varies] depending on whether the target is a PC or a phone," said GFI Labs researcher Jovi Umawing in a blog post. Interestingly, the PC version--delivered as a Java archive file--will fail to execute. But the APK (Android application package) version will install on an Android device. The application's Android icon, meanwhile, was copied from security firm Kaspersky.
Many security tools will have difficulty spotting the malicious APK file. According to Bulgarian antivirus researcher Vesselin Bontchev at FRISK Software, "the fake AV file is actually server-side polymorphic." Polymorphic malware is designed to change every time it gets downloaded, which generates malware with identical attack capabilities but different fingerprints. That makes spotting the malware more difficult for signature-based security defenses.
"If you download it several times in a row, you'll get different APK files," said Bontchev. He said it's also likely that the malware developer is updating the attack code every few days to make the malware more difficult to spot. [informationweek]