[ISN] Fake Google Chrome Installer Steals Banking Details

From: InfoSec News <alerts_at_private>
Date: Fri, 18 May 2012 05:13:44 -0500 (CDT)

By Mathew J. Schwartz
May 17, 2012

Beware fake Chrome installers for Windows.

A file named "ChromeSetup.exe" is being offered for download on various 
websites, and the link to the file appears to be legitimately hosted on 
Facebook and Google domains. In reality, the software won't install 
Google's Chrome browser, but an information-stealing Trojan application 
known as Banker, according to antivirus vendor Trend Micro.

Once the malware--which appears to be targeting Latin American users, 
especially in Brazil and Peru--is executed, it relays the IP address and 
operating system version to one of two command-and-control (C&C) 
servers, then downloads a configuration file. After that, whenever a 
user of the infected PC visits one of a number of banking websites, the 
malware intercepts the HTTP request, redirects the user to a fake 
banking page, and also pops up a dialog box informing the user that new 
security software will be installed.

In fact, the malware has been designed uninstall GbPlugin, which is 
"software that protects Brazilian bank customers when performing online 
banking transactions," said Trend Micro security researcher Brian 
Cayanan in a blog post. "It does this through the aid of 
gb_catchme.exe--a legitimate tool from GMER called Catchme, which was 
originally intended to uninstall malicious software. The bad guys, in 
this case, are using the tool for their malicious agendas."


LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
Received on Fri May 18 2012 - 03:13:44 PDT

This archive was generated by hypermail 2.2.0 : Fri May 18 2012 - 03:09:35 PDT