|Main Archive Page > Month Archives > infosec-news archives|
By Mathew J. Schwartz
May 17, 2012
Beware fake Chrome installers for Windows.
A file named "ChromeSetup.exe" is being offered for download on various
websites, and the link to the file appears to be legitimately hosted on
Facebook and Google domains. In reality, the software won't install
Google's Chrome browser, but an information-stealing Trojan application
known as Banker, according to antivirus vendor Trend Micro.
Once the malware--which appears to be targeting Latin American users,
especially in Brazil and Peru--is executed, it relays the IP address and
operating system version to one of two command-and-control (C&C)
servers, then downloads a configuration file. After that, whenever a
user of the infected PC visits one of a number of banking websites, the
malware intercepts the HTTP request, redirects the user to a fake
banking page, and also pops up a dialog box informing the user that new
security software will be installed.
In fact, the malware has been designed uninstall GbPlugin, which is
"software that protects Brazilian bank customers when performing online
banking transactions," said Trend Micro security researcher Brian
Cayanan in a blog post. "It does this through the aid of
gb_catchme.exe--a legitimate tool from GMER called Catchme, which was
originally intended to uninstall malicious software. The bad guys, in
this case, are using the tool for their malicious agendas."
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA