RSA swindles the report in July of 2010 of control center instead

Though it is no longer anything new that the hostile software is upgraded through public resources, but RSA FraudAction research laboratory finds recently this kind of trusteeship method is used for handling a kind of bank hobbyhorse, namely ” Brazilian banker ” A mutation of the hobbyhorse family.

In fact, allow users to upload all typological contents, and in the ordered form subsequently, without line feed character, such as HTML label

The websites that single file line feed characters represented are released, can all be used for storing the encryption disposition of the hobbyhorse. This including a nearly all one can be unrestricted comments, establish open personage introduction and social network and web 2.0 platform of the arrangement newsgroup.

Send order and control to the bank hobbyhorse

” Brazilian banker ” It is one kind that regards the customers of the bank of Brazil and other Bank of America of Latin as attacking the financial hobbyhorse of the target. Relevant ” Brazilian bankers ” Encryption order of the mutation (see Fig. 1) Social for network personage introduction,find by hobbyhorse collocation point at we shortly after, these illegal contents are dealt with and deleted by the support group of this social network. Need to point out emphatically, this social website is unable to take precautions against that is utilized by the above-mentioned such way. It is all easy to attack by this kind of abuse that any can issue the websites that users input the content by oneself, but it can be utilized exactly for users’ freedom.

Its operating principle is as follows:

*The hacker that hides behind the hostile software is ” Ana Maria” User be established each to be dummy personage introductioned, and input by encryption configuration set of softwares hostile by way of text, upload to this personage introduction subsequently.

*Label with the underscore in the pieces of the intersection of screen and sectional drawing at hostile software will search for the intersection of character string and EIOWJE in personage introduction after users install by oneself on machine, ‘) . This character string means the starting point of the hostile soft configuration order.

*All cencrypt commands of EIOWJE character string and carried out on the infected computer the hostile software decipher.

It is may the communication of the hostile software that the above-mentioned method can let the hacker not need to rent the dedicated bulletproof server some register the land, can send the order that is encrypted. It is reported another utilize action command and public resource in control point RSS products of Twitter for hobbyhorse. Corpse’s herdsman’s modus operandi is shown as follows in this example:

*The bunco steerer establishes a dummy Twitter account.

*Through logging on the E-mail account that is appointed, the hobbyhorse checks the new order while upgrading fixedly at the state that sent through Twitter RSS. Each new order is shown the state is upgraded, and include the new order that the hobbyhorse needs carrying out.

A criminal even goes still one step further, have established a corpse network based on Twitter and set up the procedure. Another case has utilized Google Groups: After the victim finishes installing by oneself on computer, the hobbyhorse logs on the account to Google Gmail, and operate the particular false newsgroup established from this criminal to ask for the page for the hobbyhorse in advance. The hobbyhorse carries out the order that is appointed in newsgroup’s newest page subsequently, and reply it as the model to upload to the same newsgroup.

Have already reported, included the Web 2.0 platforms of a large number of personage introductions before the security firm of Internet, such as social website and webmail provider, are being utilized by the hobbyhorse manipulator to store the hostile software configuration file:

*The criminal does not need it for he command and the control point (call upgrading clicking) Buy and maintain the domain name.

*The criminal does not need to buy or maintain the dedicated bulletproof server for their activity.

*Once the personage introduction or account number that is disclosed is deleted by these services, the new personage introduction or account can be established fast, freely.

From the viewpoint of criminal, the use of public resources may be more difficult to find. It has already almost impossible to only measure and deposit in the relevant communication resources of hobbyhorse of public websites through scanning suspicious URL in fact. These resources require the security firm to dispose the miscellaneous detecting means.

What deserves to be mentioned is, though there are a lot of advantages, it is still quite rare to attack the bank hobbyhorse that communication resources deposit above public resources; An unusual method not including the the yet regular method at present. Usually, after detecting and threatening and notifying the corresponding support group, the deletion of these command and control point is still very simple and swift.

Tags: network crime, RSA, social network, the bank

This entry was posted on Saturday, July 31st, 2010 at 12:29 am and is filed under Other. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.