Scammer tying in on disasters
We saw them before, scum trying to make money off of disasters in other people's lives. And an aircraft crash in Brazil is not different. Start with a spammed campaign promoting a website, the website promoting clicking on tiny thumbnail images that lead to malware. Not cool.
Find courtesy of Websense, who has an article about it.
Here is what the antivirus vendors think of the malware (virustotal):
[ file data ]| size | 274462 |
| md5 | fca50b317ac7648b65c80a2f08ede9ef |
| sha1 | bd85d52e616ab14bef3bfe42e9d44c0820d895cf |
[ scan result ]
| AntiVir | 7.2.0.22/20061003 | found [DR/Spy.Bancos.YT] |
| Authentium | 4.93.8/20061002 | found [W32/Banker.XCA] |
| Avast | 4.7.892.0/20061003 | found nothing |
| AVG | 386/20061003 | found nothing |
| BitDefender | 7.2/20061003 | found [Generic.Banker.VB.11DF9CB6] |
| CAT-QuickHeal | 8.00/20061003 | found nothing |
| ClamAV | devel-20060426/20061003 | found nothing |
| DrWeb | 4.33/20061003 | found [BackDoor.Generic.1437] |
| eTrust-InoculateIT | 23.73.11/20061002 | found nothing |
| eTrust-Vet | 30.3.3113/20061003 | found nothing |
| Ewido | 4.0/20061003 | found nothing |
| F-Prot | 3.16f/20061002 | found [security risk named W32/Banker.XCA] |
| F-Prot4 | 4.2.1.29/20061002 | found [W32/Banker.XCA] |
| Fortinet | 2.82.0.0/20061003 | found [Spy/Bancos] |
| Ikarus | 0.2.65.0/20061003 | found [Backdoor.Win32.Radmin.w] |
| Kaspersky | 4.0.2.24/20061003 | found [Trojan-Spy.Win32.Bancos.yt] |
| McAfee | 4865/20061003 | found nothing |
| Microsoft | 1.1603/20061003 | found nothing |
| NOD32v2 | 1.1787/20061003 | found [probably a variant of Win32/Spy.Bancos.U ] |
| Norman | 5.80.02/20061003 | found [Bancos.KVY] |
| Panda | 9.0.0.4/20061003 | found nothing |
| Sophos | 4.10.0/20061003 | found nothing |
| Symantec | 8.0/20061003 | found nothing |
| TheHacker | 6.0.1.090/20061003 | found [Trojan/Spy.KeyLogger.bp] |
| UNA | 1.83/20061003 | found nothing |
| VBA32 | 3.11.1/20061003 | found [Trojan-Spy.Win32.Bancos.yt] |
| VirusBuster | 4.3.7:9/20061003 | found nothing |
IOW: a bank aware keylogging piece of malware that's not detected by some of the big name vendors.
The important lesson to learn is not to click on links in email or IM, or any other way you could be social engineered into doing things you don't want to do. That however needs to be translated not just on the receiving end into not following links we're given, but also on the sending end by not offering friendly links to our friends.
e.g.:
- NOT: pointing to http://news.bbc.co.uk/1/hi/world/americas/5401846.stm
- BUT instead tell them go to the bbc and search for 'brazil aircrash' instead.
Swa Frantzen -- Section 66
Comments