Thursday, May 17, 2012

Fake Google Chrome Installer Is Trojan In Disguise

Researchers at Trend Micro have discovered a fake Google Chrome installer named ChromeSetup.exe, that is actually a bank-account-stealing trojan in disguise. he Trojan at present appears to target users in Brazil and Peru however indications are the malware is a work in progress and could potentially affect US users as well.

According to to their findings an analysis of the file ChromeSetup.exe done by Trend Micro's security researchers has verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ. Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.

So far Trend Micro has detected the 3 different binary files have been downloaded from several of the following popular URLs:
  • hxxp://br.msn.com/ChromeSetup.exe
  • hxxp://www.facebook.com.br/ChromeSetup.exe
  • hxxp://www.facebook.com/ChromeSetup.exe
  • hxxp://www.globo.com.br/ChromeSetup.exe
  • hxxp://www.google.com.br/ChromeSetup.exe
  • hxxp://www.terra.com.br/ChromeSetup.exe
A closer look at the downloads indicated that all downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains. How this is happening is yet unknown, however users should take notice that if they've downloaded the installer from any of the above URLs the might be infected.

"While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware," Cayanan wrote. "We will continue our investigation related to this incident and will update this blog with our findings.

"Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google."

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you
Geek-News.Net