Brazilian banking Trojan disguised as Microsoft anti-virus software

December 8, 2011

A Trojan (identified as Trojan-Downloader.Win32.VB.aoff) is targeting Windows-based systems by removing built-in AV software and clearing a path for cybercriminals to silently steal online banking credentials. The Trojan affects ‘ntldr’ the default boot loader in Windows.The Trojan is propagating as an attachment on an email. This attack vector relies on the victim clicking on the malicious link which then downlaods two malicious files from AWS. The malicious files are “xp-msantivirus” and “xp-masclean” which worm their way to the bootloader(ntldr). The malicious files replace the bootloader file with a malicious version of GRUB and ntldr then boots into Linux or UNix to remove a common Brazilian banking plug-in while at the same time removing the in-built Microsoft security software. This action occurs as the computer starts up and automatically erases itself so the victim has no idea their Windows PC is infected.Comments

Tagged with:

Leave a Comment

Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let us have a personal and meaningful conversation instead.

You must be logged in to post a comment.


IT MAGAZINES: Hakin9 Magazine | Pentest Magazine | eForensics Magazine | Software Developer's Journal | Hadoop Magazine | Java Magazine
IT Blogs: Hakin9 Magazine Blog | Pentest Magazine Blog | eForensics Magazine Blog | Software Developer's Journal Blog | Hadoop Magazine Blog | Java Magazine Blog
IT ONLINE COURSES: Pentest Laboratory
JOB OFFERS FOR IT SPECIALIST: Jobs on Hakin9 Magazine | Jobs on Pentest Magazine | Jobs on eForensics Magazine | Jobs on Software Developer's Journal | Jobs on Java Magazine | Jobs on Hadoop Magazine
Hakin9 Media Sp. z o.o. Sp. komandytowa ul. Postępu 17D, 02-676 Warszawa