Fake Banking Security update installs Rootkit

Posted Tuesday, September 23, 2008 10:15 PM by hwaldron

Email Trend Micro has documented a new bank phishing attack that appears to be a realistic message.  This new attack may appear as a Wachovia (latest version) or Bank of America "connection or security update".  It warns the user that they will loose their online banking privileges if this agent is not installed. 

If users follow these directions, a rootkit will be installed.  This is one of the worst forms of malware circulating, as it alters Windows settings so that it becomes completely hidden except by the best rootkit detection tools. 

Please always avoid taking any direct actions from ANY email message that you may receive.  Always confirm by phone or other more trustworthy sources to ensure any messages that might happen match your circumstances are truly legitimate.  These attacks are so well done, that they can deceive experienced users.  

Fake Wachovia Security Update installs Rootkit
http://blog.trendmicro.com/wachovia-security-certificate-installs-rootkit/

QUOTE: At 4:18 PM PST yesterday, Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.

Malicious rootkits are especially sneaky because they can hide processes and files from even tech-savvy users. This means entire attacks can transpire without the victim even guessing that there is something wrong with the PC. Malicious rootkits are often associated with information theft, and given that this spam appears to target Wachovia subscribers means that malware writers are counting on the chances that the victim’s PC contains critical financial information they can then siphon for their own use.

AVOID EMAIL MESSAGES WITH THESE SUBJECT LINES:
Wachovia Connection Update Alert.
Wachovia Connection Customer Support - Security Updates.
Wachovia Connection upgrade warning.
Wachovia Connection Emergency Alert System.

Sample email message currently circulating
http://www.trendmicro.com/vinfo/images/blog/wachovia_2.gif

Example of Fake Wachovia site can be found here
http://blog.trendmicro.com/phishers-hit-multiple-banks-with-one-stone/

Comments

No Comments