Download Web Threat of the Day

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
Document related concepts

Sociality and disease transmission wikipedia , lookup

Transcript 
Web Threat of the Day
Targeted Attack in Mexico
DNS Poisoning via Modem
Abstract
“A Web threat to the hilt.” This statement sums up the latest Web threat involving a
massive DNS poisoning attack in Mexico. True to the growing complexity of Web threats, this
attack consists of an unusual mix of malicious behaviors: social engineering techniques,
malware-downloading behavior, pharming techniques, and a DSL modem – a somewhat rare
(but not unheard of) medium of exploitation.
This Web threat is specifically targeted to 2Wire modem users. 2Wire is one of the main
Internet Service Providers in Mexico, which offers modems to its customers. In effect, it
places at least two million customers at risk of security breach. It also targets online banking
customers of Banamex, one of the largest financial institutions in Mexico.
Trend Micro customers are protected from the harm this threat brings. All related URLs
and IPs are blocked by Web Threat Protection technology.
Threat Analysis
It all happens on the Web. It starts out as an exploit spammed via email. The said
email message contains news, similar to the one below:
Web Threat of the Day
The headline in the above message roughly translates to a 40-year prison sentence for
a Mexican narco operator in Tijuana cartel. This use of social engineering technique builds up
interest for Mexican users, who are the main targets of this threat.
The exploit code is embedded in the HTML-formatted email. It uses the “img src” tag,
meaning, once the email message is opened and read as HTML format, the exploit code
automatically attempts to access the modem’s Web console and modify the local host database.
The modification redirects all requests to Banamex.com to a fraudulent site.
For affected users who wish to access the said banking site, even typing banamex.com
— which is a legitimate, non-malicious, fully-qualified domain name (FQDN) — leads to accessing
of the fraudulent site. Once the user is redirected to the fraudulent Web site, the user
becomes at risk of being compromised by a malicious attacker to procure personal information.
Below is a diagram depicting the infection:
Web Threat of the Day
The malicious email message also promises a “video,” a common form of social engineering
to trick users into downloading malicious programs. In this case, it includes a link that points
to a malicious URL where the .RAR acrhive Video_Narco.rar can be downloaded. This archive
contains the malicious file Video_Narco.exe, which Trend Micro detects as TROJ_QHOST.FX.
Similar to the exploit code, TROJ_QHOST.FX also prevents users from accessing the
legitimate Banamex Web site. It does this by modifying the affected system’s HOSTS file,
which maps hostnames to their corresponding IP addresses, so that when an affected user
tries to access any of the following URLs, they are redirected to a malicious phishing site:
•
•
•
•
•
•
•
•
banamex.com
www.banamex.com
banamex.com.mx
www.banamex.com.mx
www.bancanetempresarial.banamex.com.mx
bancanetempresarial.banamex.com.mx
boveda.banamex.com.mx
www.boveda.banamex.com.mx
You got to hand it to these criminals: they’re making sure no stone is left unturned, no
security hole unexploited. In any case, Trend Micro already blocks all related malicious URLs/
IPs with its Web Threat Protection. Even users whose Domain Name System (DNS) servers
may have been poisoned will receive a notification of a possible pharming activity (see image
below).
Web Threat of the Day
This Web threat targets 2Wire and Banamex customers, specifically in Mexico. It is
estimated that more than two million 2Wire customers are at risk of having their systems
compromised. On the other hand, more than half a million customers that Banamex serves
online may also be at risk of information exposure and theft.
User risks
The impact for non-Trend Micro users when:
- Local DNS and server hosts are modified
Domain Name System (DNS) is responsible for translating domain names into
IP addresses. Modifying its settings allows the machine to visit various Web
sites, which may be malicious in nature.
- Users’ systems are attacked through the threat
When Domain Name System (DNS) is changed by a malware it allows access
to various malicious Web sites. The affected systems are open and prone to
more attacks and threats.
Trend Micro solution
Trend Micro customers are protected from the harm this threat brings. All related URLs
and IPs are blocked by the Web Threat Protection technology. URL and content filtering in
Trend Micro products effectively blocks these kinds of threats from further spreading to
networks by breaking off the infection chain. Moreover, customers are protected from being
infected by the downloaded malware TROJ_QHOST.FX, as this is already detected by TM
products.
In addition, anti-spam security found in Trend Micro products blocks spam in real time. It
also has the ability to filter and block email messages with possibly malicious URLs, further
protecting customers from infection.
More information can be found in the Trend Micro Malware Blog. See the link below:
http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
For comments, questions, or suggestion, send email to:
All of PH AV Technical Marketing
Related documents
Security Training
Security Training
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
A Global Disease Needs a Global Response
A Global Disease Needs a Global Response
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Testimony - American Security Project
Testimony - American Security Project
Overview of Database Security
Overview of Database Security
12/2 study guide ch 17 due
12/2 study guide ch 17 due
CH08_Did You Know
CH08_Did You Know
Threat 1: Ozone Depletion
Threat 1: Ozone Depletion
New Generation Development Opening Statement
New Generation Development Opening Statement