четверг, 26 июля 2007 г.

Bancos.aam - новые факты

Just read news on very popular new portal rbc.ru... and got red alarm with "URL:
http://81.95.145.210/333/m00333/index.php - detected Trojan program 'Trojan-Downloader.JS.Agent.kd'.

Upon closer investigation I found that link came from banner system http://www.txt.utro.ru/cgi-bin/banner/rian?86028&options=FN'. And sometimes server returnes iframe src=\http://81.95.145.210/333/m00333/index.php\" at the end of code.

So script contains function 'kaspersky' and a lot of vulnerabilities (looks like MPack) that
download http://81.95.145.210/333/m00333//file.php. This is trojan downloader, but KAV v7.0 detects it as Trojan.Generic because of process invader activity. According to VirtusTotal report Only Dr.Web and AntiVir detect it at this moment.

At last trojan downloads another one from http://81.95.145.210/333/ldr.exe. Our product detects it as Trojan-Spy.Win32.Bancos. I'm analyzing it but there are strings like
'https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome'

I don't know for sure does it banner system hack or just prepaid "advertising campaign".
--
похоже что троян спреадился при помощи баннерной сети utro.ru, которая работает и на ряде других сайтов - как минимум на rbc.ru. по сообщениям пользователей с securitylab.ru троян был отловлен и через сайт gzt.ru

Комментариев нет: