It’s fairly well accepted that most of the banking
Trojans originate in Brazil, while most of the big SPAM botnets originate in
Russia. One such banking Trojan is ‘Bancos’, a kind of malware that tries
of financial data from a victim’s PC.
Normally it happens like this:
Once executed on the victim's system, ‘Bancos’ contacts its ‘Command and Control Server’ and tries to download a .txt file. This .txt file has the exact format as the Windows default hosts file (%system32/drivers/etc/hosts) as shown below:
This .txt file
has entries for hostnames of various financial and government domains
like American Express. Once the default Windows hosts file is replaced
by this downloaded copy, all user attempts to log on to one of these
legitimate domains would be redirected to a malicious server
hosting phishing copies of these web sites. All credentials and
sensitive data exchanged on these fake web sites would be stored by the
malicious server, and could be used by the bad guys to perform various
types of banking fraud.
Here are some of the screenshots of the phishing web sites (on the right) in comparison to the legitimate web sites.
The worst part of this story is that the malicious ‘hosts’ file is fetched from a remote server. What this means is that the bad guys have complete freedom to develop new phishing web sites at any time by targeting new domains, letting ‘Bancos’ update the victim’s hosts file, and hijacking the user’s future legitimate browser sessions.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM