FaceTime Security Labs found that one of the networks is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.
FaceTime warned it has identified more than 40 unique malware files being propagated from the botnets - many designed to take advantage of social engineering techniques, stored passwords, auto-complete data and vulnerable payment systems. According to the firm, users of unsecured instant messaging (IM) clients or Internet Explorer browsers are most at risk from this malware.
The first line of attack is launched if an unwitting end user clicks on a malicious link passed to them from the botnet via IM. This causes a remote administration server, a commercially available application produced by Famtech, to be automatically installed as "beh.exe." Once this application is installed, the end user's computer is compromised and can be accessed remotely, at which point additional malware applications are installed on the desktop.
One application of note is "Carder," a perl script designed to uncover exploits in several shopping cart applications including Comersus Cart, CactuShop, CCBill and others that are used by many popular ecommerce sites.
If a vulnerability is identified by this file, the back end database containing credit card and account information (e.g. credit card numbers, home addresses, usernames and passwords) may be stolen off the ecommerce site.
"Personal information may also be stolen from the infected PC itself through Protected Storage PassView from NirSoft, another application that may be remotely loaded onto infected PCs," FaceTime warned.