12345

9/28/2011

[Warning] Malicious file related HSBC online banking has been found from Brazil.

1. Introduction

In the midst of booming security threats and accidents in South Korea, a malicious file aiming at online banking users from Brazil has been reported.
Since banking fraud is getting bigger and bigger, users who use online banking need to be careful on using online transaction.



2. Spreading path and symptoms of infection

Recently founded malicious file is designed to aim online banking user of HSBC. When this malicious program works, it will send account number, password and inputted personal information to certain IP with using SMTP(Simple Mail Transfer Protocol).

This malicious file is named "Modulo_HSBC.exe", and its preference is also disguised as a banking information("HSBC Bank Brasil S.A. - Banco MĂșltiplo").


Upon executed this malicious file, it will pop-up message box "Please wait a moment while we configure the application for registration to start updates."


* Network transaction information on executing malicious file



When the waiting message "Modulo_hsbc" is closed, "wait while the server connect HSBC" message will appear.



Next phase, user can input "CPF" information.



Next phase, user can input 4-digit password.



In this page, HSBC requires user to input 7-digit password.



Following figure requires information for online banking.



End of the process.



INCA Internet Emergency Response Team figured out that the inputted information will be leaked to certain web site with using SMTP.

* Packet transaction data information

 - Submitted information is recorded as following.



 - Destination IP address is located in United States.



3. How to prevent

To use PC safely from security threats of these malicious files, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/W32.Banker.1977856.D

2 comments: