The malicious code sample analysed by iDefense was a Small downloader Trojan horse variant that installs two rootkit-protected files, collects and transfers e-mail addresses to a remote website.
It then performs the HTML injection on web forms from targeted institutions that user encounters in order to commit a man-in-the-middle phish for account information.
“Man-in-the-middle attacks done off the host are increasingly common with the most sophisticated attacks to date,” Ken Dunham, director of the Rapid Response Team for iDefense, told SCMagazine.com today.
“Malicious code just sits on the computer and it manipulates the user environment for maximum profit.”
The report recommends changing and hardening all credentials and account data on systems infected with this malware. It also recommends that users and administrators remove the rootkit components with popular anti-rootkit program, remove all Windows registry changes and enable the Windows firewall.
Additionally, the attack creates a phony administrator account, “admineistrator,” so it is recommended that this account is also deleted.
According to the report compiled by Dunham’s team, the malware code operates from an IP address registered to the Russian Business Network (RBN).
As a result, iDefense Labs also recommends monitoring network traffic to the remote RBN server at the IP address 81.95.147.107 to look for suspicious activity related to the attack.
This isn’t the first time RBN has struck innocent users. The address and the group were responsible for the Corpse Spyware Nuclear Grabber/Haxdoor attacks conducted in January 2007.
“Russian organised crime gangs are laughing all the way to the bank at this point,” Dunham says of attacks such as these. “It is very difficult to identify and mitigate.
New attack blends rootkits with HTML-injections to phish users on the fly
By
Ericka Chickowski
on
Mar 5, 2007 12:10AM

An organised crime network is distributing new malware that takes advantage of rootkits and a state-of-the-art HTML injection to phish consumers on the fly as they browse the Web, a new report from VeriSign's iDefense warned on Wednesday.
Got a news tip for our journalists? Share it with us anonymously here.
Sponsored Whitepapers
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see