The story started at the end of January when M86 reported that hundreds of Wordpress websites had been compromised. Then, in mid-February, it described several large spam campaigns, probably from the Cutwail botnet, attempting to lure users to infected web pages. Now it ties everything together with a report on the final effect: infection with the Cridex banking trojan. “First the sites were compromised and a malicious redirector was injected into their pages,” Ziv Mador, head of malware research at M86 Security Labs told Infosecurity, “and then the spam campaigns started, pointing people to the compromised sites.”
The ultimate target for duped users is a site containing the Phoenix exploit kit, which, if successful, downloads a trojan known variously as Cridex, Carberp or Dapato. M86 checked the trojan against VirusTotal and found that only ten out of the 43 anti-virus scanners detected the malware. This is important since the damaging effect of an infection could happen very fast, and, says Mador, “Ideally, the AV should block the malware as soon as it is downloaded and launched using behavioural and generic signatures.”
Cridex tries to hide itself once installed. It copies itself and then removes the original file. It communicates with its control server via a fast flux network, where individual domains are quickly shut down and replaced with another, making it difficult to trace back to the primary C&C server. “Once the Trojan finds a live proxy, it connects to the C&C server and downloads a customized configuration from the Cridex botnet,” says M86. “The cybercriminals are currently running multiple botnets with over 25,000 infected machines.”
Cridex has similarities with the better known Zeus and SpyEye banking trojans. One difference is that it has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks. “In conclusion,” says M86, “the Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.”