Fresh Cridex Trojan hits Web-surfers for 137 Financial Institutions

Irvine-California based M86 Security Labs, which provides gateway solutions, has declared that its researchers have found one Trojan virus called Cridex spread via an exploit kit, which's aiming attack on 137 financial institutions worldwide.

The company's researchers explain that to begin the attacks, cyber-criminals launch many large-scale bulk e-mail scams. Earlier these criminals hijacked several thousand websites related to WordPress. The bulk e-mails or spam messages contain HTML attachments or URL web-links, which dupe recipients into visiting those hijacked sites. Ultimately these web-links take onto sites contaminated with Phoenix an attack toolkit.

Explaining this fascinating incident, Security Expert Daniel Chechik at M86 Security stated that following successful exploitation of the target PC, Phoenix pulled down the Cridex onto the affected system. Banktech.com published this on March 1, 2012.

However, upon installation onto a victimized system, the Trojan starts many activities such as replicating itself and getting pasted onto C drive; appending itself to "explorer.exe;" exchanging messages with its remotely located central command-and-control system performed via Fast Flux computer networks which causes hazards in identification or termination of the C&C server; and finally, on each occasion, following several hours, substituting a domain, which gets inaccessible, with another one.

Incidentally, to establish contact with the C&C structure, Cridex persistently hunts an active proxy. Initially, it seems that the domains are haphazardly named. Nevertheless, on examining carefully, M86 observed that one fresh domain name got produced prior to the Trojan's individual attempts at reaching the command-and-control server. The cyber-criminals, by utilizing this rational way of producing and gaining admission into domains, manage to recommence the assault despite their C&C structures going offline temporarily.

Specifically, soon as Cridex locates one active proxy and establishes contact with the command-and-control system, it pulls down one tailored configuration file available on the Trojan's botnet. Presently, many botnets are operational with more than 25,000 contaminated PCs, M86 discloses.

M86 also discloses that anti-virus firms identify Cridex with other names too like Dapato and Carperb, adding that merely 10 anti-virus scanners from the total 43 of Virus Total are able to spot it, making its detection rate pretty subdued.

Related article: Fark.com Files Suit against Suspected Hacker from Fox13

» SPAMfighter News - 3/10/2012