Crime Branch Advisory
The Nigerian Scam
Trojan Redirector Ups the Ante in Online Banking Attacks
Source for this article as http://www.naavi.org.
Researchers at Websense Security Labs have stumbled upon a password-stealing Trojan that uses sophisticated DNS redirection techniques to dodge server shutdowns and hijack online banking data.
The new phishing attack targets users of more than 100 financial institutions in the United States and Europe, including Bank of America, HSBC, Barclays Bank, Lloyds TSB.
According to an alert from Websense, the Trojan silently modifies the contents of host files on infected machines to serve up fake banking sites that move from server to server to avoid shutdowns.
"This one is strictly designed for crimeware purposes and it’s a lot more sophisticated than the average phishing attacks," says Dan Hubbard, senior director of security and technology research Websense, a San Diego, Calif.-based Web filtering software firm.
In an interview with eWEEK, Hubbard explained that the Trojan modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (127.0.0.1).
If it finds a browser session active, the malware code performs a DNS lookup to a DNS server hosted in Russia to receive an address for a malicious Web site.
"Basically, they have about 100 different fraudulent bank sites on one server. When you try to go to your bank, the Trojan resolves it locally sends you to fraudulent one," Hubbard said.
On the Web server, the attacker has set up a host field entry that checks to see which bank the user is trying to access. "Now, they can deliver the phish for that specific bank so if you planned to go to Bank of America, they will send you to a site that looks just like Bank of America," he added.
The use of host file redirectors has been a tried-and-true tactic for identity theft phishing rings, the on-the-fly changing of the destination address through DNS points to a frightening level of sophistication. "Usually, there’s a hard-coded list within the Trojan with IP addresses and all the bank names. But, this one actually goes out and gets an IP address to put there. From the attackers’ standpoint, it makes it very easy to change the DNS records in case the phishing site gets shut down," Hubbard said.
Hubbard, who is involved with several vigilante efforts to shut down the botnet command-and-controls that power spam, phishing and spyware installation activity, said the new technique shows that the attackers are willing to up the ante to stay ahead of law enforcement.
"The shutdown process has gotten better with increased cooperation of ISPs so [the attackers] are evolving," he added. At press time on March 21, Hubbard said the Russian server hosting the fake bank sites was still active.
The Trojan is believed to be a variant of a known Trojan family identified at PWSteal.Bancos or Troj/Banker-AG. Hubbard said the major anti-virus vendors have added heuristic detections for the Trojan family.