Share

Related Links

  • Kaspersky Lab UK
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

Top 5 Stories

News

More 64-bit malware spotted by Kaspersky Lab

24 May 2011

The last 12 months have seen the volume of 64-bit Win7-equipped machines being sold rising steadily and it seems that cybercriminals have woken up to the trend, developing 64-bit malware.

According to Kaspersky Lab researcher Fabio Assolini, his research team has already detected the first rootkit banker created to infect 64-bit systems.

The malware, he says, was detected in a drive-by-download attack made by Brazilian cybercriminals.

"We found a malicious Java applet inserted in a popular Brazilian website. The attack was made using a malicious applet in such a way as to infect users running old versions of the JRE (Java Runtime Environment) and was prepared to infect users running versions of both 32 and 64 bits systems", he said in his latest security blog.

The entire malicious scheme, he added, is simple but interesting.

"The file add.reg will disable the UAC (User Access Control) and modify the Windows Registry by adding fake CAs (Certification Authorities) in the infected machine", he explained.

The file cert_override.txt, he asserts, is a fake digital certificate signed by the fake CA registered in the system.

The main purpose of the attack, notes Assolini, is to redirect the user to a phishing domain. The fake website will then show an icon of an https connection, simulated to be the real page of the bank.

"This scheme to register a malicious CA in an infected system has been used by Brazilian bad guys since last year", he said.

After they are registered, he goes on say that the malicious drivers will execute some commands to change the hosts file by adding a redirection to a phishing domain as well as removing some files belonging to a security plugin used by Brazilian banks.

"The malicious files are detected as Rootkit.Win64.Banker.a, Rootkit.Win32.Banker.dy and the malicious applet as Trojan-Dropper.Java.Agent.e", noted Assolini.

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×