Archive for the ‘Bancos’ Category

Urlzone/Bebloh Bait and Switch

Friday, October 9th, 2009

Cybercriminals are implementing techniques in their banking password stealers to further cover their tracks. Not that they were having an extremely difficult time with this already, as pointed out by Guillaume Lovet’s Virus Bulletin paper on fighting cybercrime. But the technical and forensic challenges are now stepped up another level. We have been tracking the growth of the Urlzone/Bebloh family since February of this year, and other groups have been finding accelerated sophistication in the fraudulent activity.

The first, larger waves we saw in February targeted German users, protected within the ThreatFire community from the menace. As more european banks and countries were hit, we continued to monitor for more of a global presence, as the malware package becomes even more popular among multinational banking cyberthieves. Distribution servers have been appearing on American providers’ networks, the next logical step is to find American banks targeted as well. We will be monitoring the situation closely.

The stealer is being spread by attacking the usual client side vulnerabilities in browsers and third party plugins.

Posted in Bancos, Crimeware, Spyware, cybercrime | No Comments »

Bancos Dropper

Tuesday, March 17th, 2009

ThreatFire users in Brazil are being attacked with yet another Bancos dropper/downloader.

The source of the file, “jk982732-2309.zip”, which extracts simply to an aspack’ed “jk982732-2309.exe”, is not entirely clear at this point. If any of our users have seen this file prevented on their desktop, please contact us on the forums or here in the comments with some information on its source and any IM messages or email related to this file.

A dead giveaway that something is unusual is the “Google Inc” file company name property, along with the Microsoft MSN butterfly icon:

Another giveaway that something is amiss is that the file also attempts to download components from free web hosting site “nofeehost.com” that masquerade as Brazilian security Buster Browser Defense components.

Any further information from users would be welcome.

Posted in Bancos, Spyware, Trojan | No Comments »