Architecture, Application Security

VeriSign iDefense: New attack blends rootkits with HTML-injections to phish users on the fly

March 3, 2007

An organized crime network is distributing malware that takes advantage of rootkits and a state-of-the-art HTML injection to phish consumers as they browse the web, according to a new report from VeriSign's iDefense labs.

The malicious code sample analyzed by iDefense was a Small downloader trojan variant that installs two rootkit-protected files, and collects and transfers email addresses to a remote website. The malware then performs the HTML injection on web forms from targeted institutions that users encounter in order to commit a man-in-the-middle phish.

“Man-in-the-middle attacks done off the host are increasingly common with the most sophisticated attacks to date,” Ken Dunham, director of the Rapid Response Team for iDefense, told SCMagazine.com today. “Malicious code just sits on the computer and it manipulates the user environment for maximum profit.”

The report recommended changing and hardening credentials and account data on systems infected with this malware. It also advised that users and administrators remove components on popular anti-rootkit program, remove all Windows registry changes and enable the Windows firewall. Additionally, the attack creates a phony administrator account, “admineistrator,” so it is recommended that this account be deleted.

According to the report compiled by Dunham’s team, the malware code operates from an IP address registered to the Russian Business Network (RBN). As a result, iDefense advised monitoring network traffic to the remote RBN server at the IP address 81.95.147.107 to look for suspicious activity related to the attack.

This isn’t the first time RBN has struck innocent users. The address and the group were responsible for the Corpse Spyware Nuclear Grabber/Haxdoor attacks conducted in January 2007.

“Russian organized crime gangs are laughing all the way to the bank at this point,” Dunham says of attacks such as these. “It is very difficult to identify and mitigate, but as you can see from our report, we are aware of this and we’ve understood it and identified reasonable countermeasures and hopefully over a period of time we’ll be able to gain ground on the Russian criminals behind such attacks.”

Click here to email West Coast Bureau Chief Ericka Chickowski.

prestitial ad