Tragedy of Chilean Miners Exploited to Spread Malware
Panda Security's antimalware laboratory PandaLabs has discovered a new malicious code named Banbra.GUC, which entices users through a YouTube video regarding the rescue of miners trapped in Chile mines.
Banbra.GUC is the latest variant of the notorious Banbra Group of banker Trojans, which first detected in the year 2003 and devised to hack user information while visiting some malicious websites.
When the video file runs, the Internet Explorer browser opens and display a YouTube video of a certain news channel regarding the rescue of the miners trapped in a Chilean mine few days back. However, this is only a trap.
When the users are viewing the video, the Trojan gets uploaded on their computers and creates a copy of itself. Besides, a Windows Registry entry runs automatically as soon as the computer gets started. In this restart procedure, it gets connected to a FTP server, and various executable files are downloaded from it, which are then saved on the computer.
These downloaded files include fake websites, which duplicate the content and format of the authentic websites that belong to the infected services, e.g. many banks in Brazil, Hotmail and social networking site 'Orkut'.
The banks in Brazil got affected are - Banco do Brasil, Banco Real, Banco Santander Brasil, Bradesco, Caixa Brasil, Itaú AND Unibanco.
If an affected user visits any of these mentioned pages, Banbra.GUC start downloading few executable files which imitate the bank's page. As soon as the users enter their login information, the executable stops and the users are redirected to the bank's original page. After this, the Trojan sends all the stolen details to its creator through email.
Luis Corrons, Technical Director of PandaLabs, reveals that this Trojan is particularly dangerous because apart from stealing the bank details, it downloads various malware controlled by the cyber-criminals, as reported by Help Net Security on 2nd September, 2010.
He also adds that the users should be more careful as this kind of Trojan is generally spread through emails or on social networking sites, containing links which seem to direct towards a YouTube video. In reality, the Trojan gets downloaded to the computer. Here, the Trojan plays the video to avoid any doubt.
Related article: TRUSTe Certified Websites May Still Contain Malware
» SPAMfighter News - 17-09-2010