Flattr this!

In late January, security experts from the M86 Security Labs discovered a mass infection of hundreds of sites on the engine, WordPress 3.2.1. Then it was reported that by using a known vulnerability outdated version of WordPress, and has published his exploits, attackers are adopting a victim in a folder Uploads an HTML file with a redirect to a page with a set of exploits Phoenix Exploit Kit. Criminals use them simply as a beautiful URL, the link caused the confidence of the victims (and to make it easier to bypass spam filters), and send out spam that contains a link to the above page.

Now there was more information about this attack. It turns out that after a successful exploit on the victim’s computer is installed Trojan Cridex (also known under the names Carberp and Dapato). This is a fairly well-known banking Trojan which is able to spoof a web form for 137 (!) Of banks in different countries. Tellingly, it is not detected by all antivirus programs. According to the study of M86 Security Labs, only 10 out of 47 tested antivirus programs can detect it. For example, “Kaspersky” recognizes it as a Trojan-Dropper.Win32.Dapato.afae.

On the mechanism of Cridex told before. We add only that the management of client programs through a network of Fast-flux, so that traffic to the command C% C-servers might look like.

Generation of domain names is a special algorithm.

ECX = ECX * 0x19660D
ECX = ECX + 0x3C6EF35F
ECX = ECX << 0 × 10
ECX = ECX - 0x7FFF
EAX = ECX
EDX = 0
EAX = EAX XOR 0 × 88
EBP = 0x1A
EAX = EAX / 0x1A
EDX = EAX% 0x1A
ESI + +
EDX = EDX + 0 × 61
Address [EBX + ESI] = DX

Once the proxy is alive, the Trojan downloads a custom configuration of a botnet Cridex. Its functionality is about the same as Zeus and SpyEye: collect private information, logins and passwords – and send to the remote server.

However, Cridex specializes in financial transactions – in the world of botnets is a kind of banking center with a database of 137 banks and financial institutions in the world. For this functional corresponds to the plugin “WORLD BANK CENTER”, shown in the screenshots below (full size).