Always be on the lookout for phony warnings and messages from banks and other financial institutions. Even if it is someone claiming to be a banking employee and they know some of your information, do not give out personal information or install unusual applications when you are being contacted over email. You can always contact your bank by calling them back or visiting the web site you were informed of when you opened your account to take care of your business.
An example email blast sent out right now with the subject line “Bank of America Security Department: How to Update Software” warns the receiving user that “Automatic Installation failed for Bank of America certificate component” and provides a bank-sounding link, persuading the user to visit the site. A user could easily be confused by the url, as seen in a browser bar here:
Notice that the link is not “bofa.com” or “bankofamerica.com”, but instead, “767certificate.com” (many other confused urls are being used in this ongoing scheme). When the link is visited with a browser, the center of the deceptively accurate page presents a demo video and automatically prompts the users to install an “Adobeflashplayer.exe“. As can be seen at this ThreatExpert report, this malware is not a Flash installer. This screenshot shows the certificate warning “You have not been permitted to access the Bank of America Direct login page because your browser did not provide a valid digital certificate” and the accompanying popup for the “Adobeflashplayer.exe” malware download. DO NOT download and run this file:
ThreatFire prevents many behaviors exhibited by this malware as Spyware.Ursnif when protecting a clean system. When ThreatFire is installed on system previously infected with the spyware and its rootkit, ThreatFire will identify the hidden new_drv.sys rootkit driver as Rootkit.Agent and hidden 9129837.exe (randomly named) executable copied to c:\windows, and associated registry keys when a rootkit Intelliscan is run. ThreatFire also quarantines it all properly when selected.
