Websense Security Labs has discovered a new information-stealing, malicious code attack, which appears to provide more evidence that Russian-based malicious code writers and Brazilians are either working together, or are sharing tools or information. (Previous post: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=724).

If users click on the link within the email, they are redirected to a page that is hosted in Russia. That page attempts to exploit the user with the “VML” vulnerability. If the user’s PC has not been properly patched, the site downloads and runs an executable called “stylecss.exe”. This file is packed with “Yoda’s protector,” and has an MD5 of b6b2ccb8d1b862fa92c71a17c1795af2. The file adds information to the Run key in the registry: (C:\Arquivos de programas\ExAlien.exe). Once running, the file is designed to steal information from end-users when they visit banking websites.

Email screenshot (Vivio is a very large mobile carrier in Brazil):

The attack is written in broken Portuguese and roughly translates to:

Dear customer,
 
We’d like to inform you that our database shows several pending payments in your account, which haven’t been paid in their respective due dates.

On 2/23/2006 value R$ 987.00 Details>>>

On 3/26/2006 value R$ 1,980.00 Details>>>

We ask your attention to this notification, since legal measures will be taken, such as the inclusion [of your name] in the Credit Protection Service (SPC) and Serasa [a Brazilian institution that protects credit].

For your security and convenience it is necessary to download the Pendencies Report file.

Pendencies Report File Verify Pendencies
If you have already settled your payments, please ignore this.

You must be logged in to post a comment.