New attack blends rootkits with HTML-injections to phish users on the fly

The malicious code sample analysed by iDefense was a Small downloader Trojan horse variant that installs two rootkit-protected files, collects and transfers e-mail addresses to a remote website.

It then performs the HTML injection on web forms from targeted institutions that user encounters in order to commit a man-in-the-middle phish for account information.

“Man-in-the-middle attacks done off the host are increasingly common with the most sophisticated attacks to date,” Ken Dunham, director of the Rapid Response Team for iDefense, told SCMagazine.com today.

“Malicious code just sits on the computer and it manipulates the user environment for maximum profit.”

The report recommends changing and hardening all credentials and account data on systems infected with this malware. It also recommends that users and administrators remove the rootkit components with popular anti-rootkit program, remove all Windows registry changes and enable the Windows firewall.

Additionally, the attack creates a phony administrator account, “admineistrator,” so it is recommended that this account is also deleted.

According to the report compiled by Dunham’s team, the malware code operates from an IP address registered to the Russian Business Network (RBN).

As a result, iDefense Labs also recommends monitoring network traffic to the remote RBN server at the IP address 81.95.147.107 to look for suspicious activity related to the attack.

This isn’t the first time RBN has struck innocent users. The address and the group were responsible for the Corpse Spyware Nuclear Grabber/Haxdoor attacks conducted in January 2007.

“Russian organised crime gangs are laughing all the way to the bank at this point,” Dunham says of attacks such as these. “It is very difficult to identify and mitigate.