New attack blends rootkits with HTML-injections to phish users on the fly

By on
New attack blends rootkits with HTML-injections to phish users on the fly

An organised crime network is distributing new malware that takes advantage of rootkits and a state-of-the-art HTML injection to phish consumers on the fly as they browse the Web, a new report from VeriSign's iDefense warned on Wednesday.

The malicious code sample analysed by iDefense was a Small downloader Trojan horse variant that installs two rootkit-protected files, collects and transfers e-mail addresses to a remote website.

It then performs the HTML injection on web forms from targeted institutions that user encounters in order to commit a man-in-the-middle phish for account information.

“Man-in-the-middle attacks done off the host are increasingly common with the most sophisticated attacks to date,” Ken Dunham, director of the Rapid Response Team for iDefense, told SCMagazine.com today.

“Malicious code just sits on the computer and it manipulates the user environment for maximum profit.”

The report recommends changing and hardening all credentials and account data on systems infected with this malware. It also recommends that users and administrators remove the rootkit components with popular anti-rootkit program, remove all Windows registry changes and enable the Windows firewall.

Additionally, the attack creates a phony administrator account, “admineistrator,” so it is recommended that this account is also deleted.

According to the report compiled by Dunham’s team, the malware code operates from an IP address registered to the Russian Business Network (RBN).

As a result, iDefense Labs also recommends monitoring network traffic to the remote RBN server at the IP address 81.95.147.107 to look for suspicious activity related to the attack.

This isn’t the first time RBN has struck innocent users. The address and the group were responsible for the Corpse Spyware Nuclear Grabber/Haxdoor attacks conducted in January 2007.

“Russian organised crime gangs are laughing all the way to the bank at this point,” Dunham says of attacks such as these. “It is very difficult to identify and mitigate.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
attack blends fly htmlinjections idefense new on phish rootkits security the to users with
In Partnership With

Most Read Articles

Telstra's free NBN speed boost backfires

Telstra's free NBN speed boost backfires
NBN Co threatens to halt future FTTN upgrades

NBN Co threatens to halt future FTTN upgrades
DoH! Microsoft to build DNS over HTTPS into Windows 10

DoH! Microsoft to build DNS over HTTPS into Windows 10
Bankwest CIO says Agile incubators “doomed to failure”

Bankwest CIO says Agile incubators “doomed to failure”
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here
Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?