WSLabs, Malicious Website / Malicious Code: Trojan Crimeware using Google Maps

Scrub · #1 02-22-07, 05:50 AM

Inbox
from Websense Security Labs <DoNotReply@websensesecuritylabs.com> hide details Feb 19 (3 days ago)
to ScamFraudAlert@gmail.com
date Feb 19, 2007 9:50 AM
subject WSLabs, Malicious Website / Malicious Code: Trojan Crimeware using Google Maps

Websense Securitylabs(TM) has received reports of a Trojan which is related to an email that has been distributed, claiming that the Australian Prime Minister had suffered a heart attack.

The Trojan is formed by several different components. It basically monitors all your accesses to web pages and keeps track of them, keylogging everything you do. It contains a special module which it uses for phishing. At the time of this alert there were more than 2500 infected victims.The affected banks are:

Westpac (Australia)
Kasikorn Bank (Thailand)
Banco de Valencia (Spain)
Commonwealth Bank (Australia)
BBVA (Spain)
Caja Madrid (Spain)
Bank of America (USA)
Unicaja (Spain)
Wells Fargo (USA)
Sparkasse (Germany)
Deutsche Bank (Germany)
Gad (Germany)
Commerz Bank (Germany)
Post Bank (Germany)

On the other hand, it installs a web server on the affected machine which allows the attacker to access that machine every time it is online. To achieve that, he/she has a control panel where he/she can have a full list of all the infected machines including IP address, country, ports he/she can use to access the machine to using different protocols, and even a link to google maps which will exactly point out where that IP is located.

We thank the AusCERT for providing the sample.

Screenshots of Google Maps and Attacker Statistics panel within full alert.

For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/...hp?AlertID=741

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: