Tag Archives: Trojan horses

The Danger Of The Mistyped URL

F-Secure Computer Virus Information Pages: Googkle:

F-Secure staff has found a malicious website that utilizes a spelling error when typing the name of the popular search engine – ‘Google.com’. If a user opens a malicious website, his/her computer gets hijacked – a lot of different malware gets automatically downloaded and installed: trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan. Also a few adware-related files are installed.

The name of the malicious website is ‘Googkle.com’. PLEASE DO NOT GO TO THIS WEBSITE! Otherwise your computer will get infected! We have reported the case to the authorities.

I guess this kind of thing is more common than we realise. It seems to be a bunch of guys with Russian names who ahve registered misspelling of the Google name (how many more are out there) as a way to install phishing and other tricks on your computer. The website is still active at the time of writing.

(Via Hotlinks)

Estonia Nets A Big Phish

The Register, quoting AP, says that an Estonian man suspected of plundering millions from hundreds of online bank accounts accounts across Europe was arrested last week. AP reports that the unnamed 24 year-old allegedly used a sophisticated Trojan in order to monitor the keystrokes on victims’ PCs and extract confidential banking passwords that allowed him to plunder online accounts.

The unnamed Trojan was bulk mailed to prospective victims in emails that promised lucrative job offers from government institutions, banks and investment firms. In reality it linked to a web page hosting malicious code.

Jaan Priisalu, an IT risk manager at Hansabank, told AP the Trojan used in scam was the most sophisticated he had ever seen. For a long time, AP says, it evaded anti-virus protection software and it erased all traces of itself from hard drives after it had exhausted its usefulness.

Which of course, begs the question: How many other trojans are out there evading our defences? And does evading anti-virus software mean the trojan was never identified and added to anti-virus libraries, or does it mean it was added but not caught by the software? Either way, it’s worrying.

Pocket PC’s Backdoor

Symantec say they’ve found the first Windows CE (PocketPC) backdoor Trojan, which they’re calling Backdoor.Bardor.A: “Once installed, the backdoor allows full control of the handheld system when it is restarted. When the infected handheld is connected to the Internet, the backdoor sends the attacker the IP address of the handheld device. It then opens port 44299 and waits for further instructions from the attacker.”

There are some limits: The backdoor only affects Pocket PC devices with ARM CPUs.

This follows the discovery of the first PocketPC virus, Duts, last month.

News: Beware QHosts

 All you need to do to be infected by this virus is visit the homepage of Web hosting provider FortuneCity.com. CNET reports that a malicious program, dubbed QHosts, infects PCs using a recent flaw in Microsoft’s Internet Explorer to take control of how computers look up Internet addresses. The program takes advantage of a critical flaw in Internet Explorer , which Microsoft has made an integral part of its Windows operating system. The Trojan horse used a banner ad that the attacker somehow placed there to install the Trojan horse on the user’s PC.
 
The QHosts program then changes the Internet addresses of the computers the infected PC will go to to resolve unknown Web sites and domain names. Known as the domain name service (DNS) servers, such computers are generally operated by a trusted organization, such as an Internet service provider. However, QHosts will send the requests to other servers, which Schmugar believes are likely to be owned by the originator of the Trojan horse.
 
This raises a few troubling questions, such as: How did the banner ad get there? And what is the purpose of the trojan? Is it just malicious or is it commercially related? We should be told.

Update: The Citibank Robbery

  A bit more on that backdoor Trojan that made me think Citibank didn’t like me anymore: Symantec’s website says it’s a brand new version, and seems to only appear in a Citibank form. No wonder I couldn’t find it on Google. Symantec call it Backdoor.Berbew. Other names: 
  • Downloader-DI [McAfee]
  • TrojanProxy.Win32.Webber.10 [KAV]
  • Troj/Webber-A [Sophos]
I thought everyone had agreed to use the same names for all these things. My advice: watch out. Trojans are getting smarter, unlike the Monty Python Trojan Rabbit.