Share

Related Links

Top 5 Stories

News

Compromised websites leading to banking malware

02 March 2012

M86 Security is warning that recent spam campaigns are luring victims to compromised websites that redirect to malicious Phoenix-hosting sites, which in turn seek to infect the visitor with the Cridex trojan.

The story started at the end of January when M86 reported that hundreds of Wordpress websites had been compromised. Then, in mid-February, it described several large spam campaigns, probably from the Cutwail botnet, attempting to lure users to infected web pages. Now it ties everything together with a report on the final effect: infection with the Cridex banking trojan. “First the sites were compromised and a malicious redirector was injected into their pages,” Ziv Mador, head of malware research at M86 Security Labs told Infosecurity, “and then the spam campaigns started, pointing people to the compromised sites.”

The ultimate target for duped users is a site containing the Phoenix exploit kit, which, if successful, downloads a trojan known variously as Cridex, Carberp or Dapato. M86 checked the trojan against VirusTotal and found that only ten out of the 43 anti-virus scanners detected the malware. This is important since the damaging effect of an infection could happen very fast, and, says Mador, “Ideally, the AV should block the malware as soon as it is downloaded and launched using behavioural and generic signatures.” 

Cridex tries to hide itself once installed. It copies itself and then removes the original file. It communicates with its control server via a fast flux network, where individual domains are quickly shut down and replaced with another, making it difficult to trace back to the primary C&C server. “Once the Trojan finds a live proxy, it connects to the C&C server and downloads a customized configuration from the Cridex botnet,” says M86. “The cybercriminals are currently running multiple botnets with over 25,000 infected machines.”

Cridex has similarities with the better known Zeus and SpyEye banking trojans. One difference is that it has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks. “In conclusion,” says M86, “the Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×