Keylogger poses as Facebook and Microsoft, steals login credentials

[Nytro]

[h=2]Keylogger poses as Facebook and Microsoft, steals login credentials[/h]y Dave Michmerhuizen & Luis Chapetti – Security Researchers

Most computer users have a haunting fear that somehow malware will find a way to sneak onto their PCs when they are not looking. The truth is that while this does sometimes happen, the most common types of malware rely on trickery to invade and infect your computer.

An excellent example of this fell into our spam traps recently, a spam that pretended to be from Facebook (an easy thing to fake, actually) hiding its payload behind an official looking graphic from Microsoft.

In this case the image is an HTML link supposedly offering up Microsoft Silverlight. If you take your time and examine the destination of that link you’ll see that the real payload is a .PIF file from an IP address in Malaysia. PIF files are Windows executable files, and in this case the executable that is actually sent is Trojan.Win32.Jorik. It can’t sneak onto your computer and install itself though; it needs your help to do that.

Clicking on the Silverlight graphic does warn you that you’re about to run a program. This is why the Microsoft graphic is a clever addition to the ruse – you think you should be running a Microsoft program, and it’s doing exactly what you expect.

The problem, of course, comes once you’ve pressed ‘Run’ and find out there is no Facebook or Silverlight, there is only malware. Trojan.Win32.Jorik is actually a keylogger. It begins monitoring your Web browsing, writing every keystroke and Web page title into a disk file.

The keylogger can capture almost anything you do on the Web. This is of particular concern when visiting secure sites whose credentials you definitely want kept private, as demonstrated below:

[TABLE=align: center]

[TR]

[TD] Wells Fargo HTTPS login page (click for larger image)

[/TD]

[/TR]

[TR]

[TD] Facebook login page (click for larger image)

[/TD]

[/TR]

[TR]

[TD] Gmail HTTPS login page (click for larger image)

[/TD]

[/TR]

[/TABLE]

We entered FakeUsername and FakePassword on all three sites. The results were easily found in the disk file that the keylogger maintains.

Keylogger file contents (click for larger image)

Ultimately this disk file is sent back to a command and control server, hidden by no-ip.com and most likely also in Malaysia.

Network traffic to Command & Control (click for larger image)

The bottom line, as we always say at Barracuda Labs, is to maintain a healthy skepticism about anything that appears in email. The easiest way into your computer is to persuade you to push that ‘run’ button. Spammers and malware distributors are constantly looking for ways to convince you to do just that. Be vigilant, don’t be a victim.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.

Sursa: Keylogger poses as Facebook and Microsoft, steals login credentials | The Barracuda Labs Internet Security Blog

[actunderdc]

Intr-adevar din poza pare foarte autentic emailul, designul este bun. Dar nu cred ca va prinde la mai multi utilizatori fata de un spam clasic de acest gen, deoarece un utilizator care "se mai pricepe" isi da seama ca vizionarea unei pagini este independenta de OS, adica mai pe romaneste, daca rulezi pe linux nu ai cum instala Silverlight de la Microsoft etc.

[Vlachs]

Intr-adevar din poza pare foarte autentic emailul, designul este bun. Dar nu cred ca va prinde la mai multi utilizatori fata de un spam clasic de acest gen, deoarece un utilizator care "se mai pricepe" isi da seama ca vizionarea unei pagini este independenta de OS, adica mai pe romaneste, daca rulezi pe linux nu ai cum instala Silverlight de la Microsoft etc.

Navigarea nu este neaparat independenta de os, diferite addon-ul ale pagini pot fi doar pentru windows!

Oricum pare buna metoda

[Usr6]

111.90.139.16/~uswholes/reader.pif

e un server rat (BlackShades cred) cu functia de keylogging activata (Application Data/Shared/x , x=logurile)

restu dns-urilor unde se conecteaza in caz de pica unu:

blacklover.no-ip.info

1blacklover.no-ip.info

2blacklover.no-ip.info

3blacklover.no-ip.info

4blacklover.no-ip.info

5blacklover.no-ip.info

6blacklover.no-ip.info

7blacklover.no-ip.info

8blacklover.no-ip.info

9blacklover.no-ip.info