The recent leak of documents related to the phone-hacking scandal has become a pretext for easier social engineering attacks on Polish internet users. In one such case a file called FILE ALL 1-20.exe , having to pretend files associated with the investigation, so really is a malicious software from quite a wide range of possibilities. Logging of keystrokes, spread through removable drives or theft stored in browsers and system registry entries are just some of the unpleasantness, we may encounter by running the said file.
Technical Description
Unfortunately, we do not know how this malware began to spread. It is possible that, as in previously reported cases, simply see page provides the files that users search to find all the files of the investigation. The software is detected by as many as 45 out of 57 antivirus solutions presented in the system VirusTotal. This is expected because the file is parsed very primitive worm, whose main task is to steal data. Most antivirus vendors called him “Rebhip.”
Malware, after infection, performs a series of steps that are potentially dangerous for the victim.
- Steals passwords from popular web browsers Internet Explorer and Firefox.
- Copies each other on all removable drives and creates the appropriate file
AUTORUN.INFwhich causes the computer to Windows and enabled the startup can be infected when you insert removable disk. - injected into two processes:
explorer.exeandiexplore.exe. With this second process leading network communication with the server C & amp; C. In this way they bypass firewalls that examine applications communicate with the Internet, because most users allows Internet Explorer to process this communication. - added in four different registry keys in order to guarantee a start-up with the launch of the system.
- Steals data no-ip.com access to the site, allowing the attacker gains access to a larger number of domains and can often change the server C & amp; C.
In addition, the malignant the software also contains code to hinder its analysis using the debugger. In addition to standard techniques such as checking whether a program debugging using flag IsBeingDebugged , the program also checks whether some functions will not start of the statement causing the program to stop. It is a common procedure used by people analyzing software to run the program until it comes to an interesting feature.
Malicious software also implements a number of methods that allow you to avoid environments for analysis. They are based on an examination of key Windows installation, the existence of certain DLLs or services. After wykradnięciu data they are sent to the address in the domain no-ip.info , which resolved to an IP address on the network UPC. no-ip.info is a provider of “dynamic DNS” which means that an IP address, which solved The domain name can change rapidly.
Summary
Unfortunately, we have repeatedly witnessed significant event will be used for social engineering attacks. This was the case of the earthquake in Nepal, when it was founded at least 15 fake websites asking for a grant on behalf of the International Red Cross. This is also the case of the latest attack MERS disease – Trojan was distributed as an alleged list of infected patients.
As you can see these are not the most technologically advanced attacks and we do not have statistics on their effectiveness, but preying on the curiosity of people, especially when searching for information on the network, it may be a very good tactic.
To all, we recommend caution when opening mail coming from unknown sources or downloading files from untrusted websites.
We recommend that you read OUCH !, newsletters that will help eg. if the computer is already infected.
Tags: malware, OUCH, trojan, leakage
No comments:
Post a Comment