Email regarding Facebook account update is a phish - Part 2
Ax3soft did captured emails what popped up as Facebook
phishing emails.
The from address is apparently spoofed and have nothing to do
with the Facebook in any way. It has various subjects:
Facebook Account Update
Facebook Update Tool
new login system
But now we should take steps to get a working host in which
it can host the supposed phishing site. we have visited htxxp://www.facebook.com.ujtqwaqo.eu/globaldirectory/LoginFacebook.php?ref=xxx&email=xxx@xxx.com
and got the login screen.
We got redirected to the following screen when we fill in the
fake login and password.To our surprise we didn't find a webform
that we can use it to submit personal information, but we find a
link to a malware file updated tool.exe.
We call this malware as Gen:Heur.Zbot.gq0@cS0Ulyb (BitDefender),
PWS:Win32/Zbot.gen!R (Microsoft) or Mal/EncPk-LE (Sophos). As
you know,ZBot is a banking trojan, all of its functions are
disableing firewall, stealing sensitive financial data(credit
card numbers, online banking login details) ,making screen
snapshots, downloading additional components, and providing a
hacker with the remote access to the compromised system.
Create the file %System%\sdra64.exe on an infected system.
Hidden files are created: %System%\lowsec\local.ds, %System%\lowsec\user.ds
and %System%\lowsec\user.ds.lll all together with a hidden
directory %System%\lowsec.
Create new memory pages in the address space of the system
process(es):
%System%\services.exe, %System%\lsass.exe, %System%\svchost.exe,
%System%\alg.exe adn %ProgramFiles%\internet explorer\iexplore.exe.
The infection also contains Windows registry modification and
a connection to a remote host will be established:
hxxp://193.104.27.42/lcc/ip2.gif and hxxp://193.104.27.42/ip.php.
We have added some new policies of
Ax3soft Sax2 to detect the Trojan, please update the policy
basic knowledge of Sax2 in time. For more
information, please visit
http://www.ids-sax2.com/ComputerSecurityNewsletter.htm |
