Monday, March 31, 2008 2:20 PM
cmosby
Blended, Targeted Attack in Mexico: Now a DNS Changer and A Botnet | TrendLabs | Malware Blog - by Trend Micro
March 27th, 2008 by Carolyn Guevarra
Virus Coordinator for Trend Micro Latin America, Jose Lopez Tello, recently discovered a very interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month.
Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico.
However, instead of using DNS poisoning method as the past attacks did, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider.
Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting e-card that a user receives via email. This e-card contains a link, which when clicked downloads the malicious file Gusanito.exe.
Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer using the following simple script:
dns name= source=static addr=[IP address] register=PRIMARY
Thus, when the user attempts to access www.banamex.com, he is redirected to a phishing Web site (which is actually located at the same fake DNS server).
The Botnet client code [BKDR_VBBOT.AE] also opens an IRC connection to the yet another, different U.S. -based host and channel to wait for commands from its botmaster, which is intended actually to send more of the same, original, bogus e-card greetings e-mails.
As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting e-cards at this very moment. “In fact, you can see all the list emails that will be targeted,” adds Tello.
The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this, as well.
(Thanks to Paul Ferguson for additional technical background.)
-Update: March 29, 2008-
The detection BKDR_VBBOT.AE was renamed to WORM_KELVIR.EI.