iDefense: New attack blends rootkits with HTML-injections to phish users

An organised crime network is distributing new malware that takes advantage of rootkits and a state-of-the-art HTML injection to phish consumers on the fly as they browse the Web, a new report from VeriSign's iDefense warned on Wednesday.

The malicious code sample analysed by iDefense was a Small downloader Trojan horse variant that installs two rootkit-protected files, collects and transfers e-mail addresses to a remote website and performs the HTML injection on web forms from targeted institutions that user encounters in order to commit a man-in-the-middle phish for account information.

“Man-in-the-middle attacks done off the host are increasingly common with the most sophisticated attacks to date,” Ken Dunham, director of the Rapid Response Team for iDefense, told SCMagazine.com today. “Malicious code just sits on the computer and it manipulates the user environment for maximum profit.”

The report recommends changing and hardening all credentials and account data on systems infected with this malware. It also recommends that users and administrators remove the rootkit components with popular anti-rootkit program, remove all Windows registry changes and enable the Windows firewall. Additionally, the attack creates a phony administrator account, “admineistrator,” so it is recommended that this account is also deleted.

According to the report compiled by Dunham’s team, the malware code operates from an IP address registered to the Russian Business Network (RBN). As a result, iDefense Labs also recommends monitoring network traffic to the remote RBN server at the IP address 81.95.147.107 to look for suspicious activity related to the attack.

This isn’t the first time RBN has struck innocent users. The address and the group were responsible for the Corpse Spyware Nuclear Grabber/Haxdoor attacks conducted in January 2007.

“Russian organised crime gangs are laughing all the way to the bank at this point,” Dunham said. “It is very difficult to identify and mitigate, but as you can see from our report we are aware of this and we’ve understood it and identified reasonable countermeasures and hopefully over a period of time we’ll be able to gain ground on the Russian criminals behind such attacks.”

Sign up to our newsletters