June 21, 2010 By Andrew Brandt

Keylogger Poses as Document from Spain’s Central Bank

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

An attempt to push down the Trojan-Backdoor-Zbot password thief to Spaniards may signal a new wave of attacks by a crew of attackers who spent the better part of 2009 trying to convince gullible Internet users in different countries to download and execute Zbot installers poorly disguised as transaction records or other important financial documents.

A bogus Banco de España (BdE) Web site came and went quickly last week, but not before we took a deep dive and came up with a mouthful of malware. Believe me, it tasted terrible.

The page, designed to mimic closely the appearance of the Spanish central bank’s Web site, was very much a clone of the previous fake-bank pages used to foist Zbot onto victims.

Previous campaigns of this type targeted, primarily, North American victims by spoofing the Web sites belonging to Visa, Bank of America, the FDIC, the American Bankers Association, NACHA, the IRS (and its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease Control and Prevention, and many others.

The fake Banco de España Web page, hosted on a server based in Russia, followed the same pattern set in so many previous Zbot campaigns: The URL included some of the real financial entity’s domain name, but was actually hosted on a server elsewhere; The potential victim was encouraged to download and open some sort of financial statement (the file itself was labeled “declaracion.exe” (statement) and the visitor was instructed to descargar declaración (“download statement”). Of course, this declaración was the Zbot installer. After the computer became infected, the keylogger downloaded instructions from a different Russian Web domain, then lay in wait for a victim to log into his or her online bank accounts or other Web sites.

While we haven’t seen this trick in several months, the low-key approach by Zbot’s distributors doesn’t make the Trojan any less dangerous. It’s capable of stealing saved passwords from Internet-connected applications, browsers, cookies, Remote Desktop, and the Protected Storage area within Windows. It’s a password stealing machine, literally and figuratively.

As we’ve seen in previous Zbot fake-page scams, the Web site doesn’t actually rely on the potential victim downloading and executing the Zbot installer him- or herself. Just by visiting the fake page, you can become infected: If the visitng PC is running an older version of Internet Explorer, the page tries to use browser exploits to push malware down to the victim. In this case, we also came down with a case of Trojan-Pushu, a spambot.

The same advice to users applies in each of these cases: Don’t follow links in email that purport to lead to a page on your country’s central bank (unless, of course, you happen to be your country’s finance minister, or work for the central bank’s Web team, in which case you shouldn’t click any links leading to Web sites in the .ru top-level domain); Don’t download or execute any Declaración with a file extension of .exe; and use the Firefox browser with the NoScript plugin as a way to safeguard your computer against unexpected attacks.
wordpress blog stats

Share Button

2 Responses to Keylogger Poses as Document from Spain’s Central Bank

  1. FYI: This was detected last week by both Spain’s Central Bank and Spanish IT security and was reported both to the general public (see http://www.bde.es/servicio/avisos/emaile.htm) and to anti-phishing working groups.

    The URLs are blocked by phishing filters (in Internet Explorer and Mozilla Firefox at least), and the DNS domains have been blocked by some Spanish ISPs.

    The same domains (psdrv.ru, filedrv.ru, msdll.ru and pdll.ru) are being used to target phishing attacks against customers of the BBVA bank as well as US citicens through a fake website that resembles the IRS (see http://www.siteadvisor.com/sites/psdrv.ru/postid/?p=4837493 and http://www.phishtank.com/phish_detail.php?phish_id=1003091, for example).

    The domains and servers however, are difficult to block as they are using a Fast Flux network (probably relying in a botnet) and registras in Russia which are notorious for hosting criminals.

Leave a Reply

Your email address will not be published. Required fields are marked *