Malware Downloader ‘Dramatically’ Surges in Infection Rates

Jay Decenella, IT audit expert
July 05, 2011 /

A generic malware downloader first seen on December 2008 has increased in infection rates of PCs during June 2011, according to security firm Trusteer.

Hiloti generic downloader is a trojan first seen in December 2008, Trusteer noted. The malware downloader typically downloads other malware such as Zeus and SpyEye.

In mid-June this year, Trusteer spotted a SpyEye configuration targeting users of two leading European airline travel Web sites – Air Berlin, the second largest airline in Germany (after Lufthansa) and AirPlus, the global provider of business travel services for companies.

SpyEye allegedly exploited the user’s machine, not the websites, to carry out fraud.

The cyber attack subjects, Trusteer continued, “are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users.”

Air Berlin, for example, not only accepts debit and credit cards, but allows travelers from Austria, Denmark and Germany, among others, to pay by bank direct debit seven days before traveling.

It follows that cyber criminals that would target an Air Berlin traveler from these countries are more likely to access the personal details of the user, including their date of birth, as well as their bank account details.

Meanwhile, Air Plus offers a variety of travel services for companies of all sizes via their website, all paid for by business payment cards that are linked to business bank accounts.

“Since corporate accounts tend to carry much higher balances (or credit limits) than consumer accounts, they have much greater cyber criminal revenue potential from a data harvesting perspective,” Trusteer earlier said.

“In the case of the Air Berlin attack, SpyEye is attempting to harvest confidential user information including username and password, and other data that is entered in the targeted web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated.”

Now, Trusteer found that “Hiloti creates a malicious DLL in the Windows directory, and hacks the Windows registry to maintain its presence on an infected machine across a normal boot cycle.

“We suspect that a Hiloti-infecting campaign – which is quite likely to be a drive-by download infection – is now taking place, having started on June 20th.”

Based on a typical infection graph from the UK published by Trusteer, the Hiloti malware is surging to two to three times it previously level of infections.

“What is interesting is that the infection does not appear to be affecting the US and other international territories, suggesting that it is a carefully targeted attack on one of more UK banking portals,” it said.

Trusteer vowed that its research teams will continue to monitor the levels of infection of Hiloti.

“We would stress that users of Trusteer Rapport security software are protected from the Hiloti downloader and its financial payload, even if other security defenses have not detected it,” it added.

 

Share your opinion