WWebeb ThreatThreat ofof thethe DaDayy

Targeted Attack in Mexico DNS Poisoning via Modem

Abstract “A Web to the hilt.” This statement sums up the latest Web threat involving a massive DNS poisoning attack in Mexico. True to the growing complexity of Web threats, this attack consists of an unusual mix of malicious behaviors: social engineering techniques, -downloading behavior, techniques, and a DSL modem – a somewhat rare (but not unheard of) medium of exploitation. This Web threat is specifically targeted to 2Wire modem users. 2Wire is one of the main Internet Service Providers in Mexico, which offers modems to its customers. In effect, it places at least two million customers at risk of security breach. It also targets customers of Banamex, one of the largest financial institutions in Mexico. customers are protected from the harm this threat brings. All related URLs and IPs are blocked by Web Threat Protection technology.

Threat Analysis It all happens on the Web. It starts out as an exploit spammed via email. The said email message contains news, similar to the one below:

WWebeb ThreatThreat ofof thethe DaDayy

The headline in the above message roughly translates to a 40-year prison sentence for a Mexican narco operator in Tijuana cartel. This use of social engineering technique builds up interest for Mexican users, who are the main targets of this threat. The exploit code is embedded in the HTML-formatted email. It uses the “img src” tag, meaning, once the email message is opened and read as HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database. The modification redirects all requests to Banamex.com to a fraudulent site. For affected users who wish to access the said banking site, even typing banamex.com — which is a legitimate, non-malicious, fully-qualified domain name (FQDN) — leads to accessing of the fraudulent site. Once the user is redirected to the fraudulent Web site, the user becomes at risk of being compromised by a malicious attacker to procure personal information. Below is a diagram depicting the infection:

WWebeb ThreatThreat ofof thethe DaDayy

The malicious email message also promises a “video,” a common form of social engineering to trick users into downloading malicious programs. In this case, it includes a link that points to a malicious URL where the .RAR acrhive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe, which Trend Micro detects as TROJ_QHOST.FX. Similar to the exploit code, TROJ_QHOST.FX also prevents users from accessing the legitimate Banamex Web site. It does this by modifying the affected system’s HOSTS file, which maps hostnames to their corresponding IP addresses, so that when an affected user tries to access any of the following URLs, they are redirected to a malicious site: • banamex.com • www.banamex.com • banamex.com.mx • www.banamex.com.mx • www.bancanetempresarial.banamex.com.mx • bancanetempresarial.banamex.com.mx • boveda.banamex.com.mx • www.boveda.banamex.com.mx

You got to hand it to these criminals: they’re making sure no stone is left unturned, no security hole unexploited. In any case, Trend Micro already blocks all related malicious URLs/ IPs with its Web Threat Protection. Even users whose Domain Name System (DNS) servers may have been poisoned will receive a notification of a possible pharming activity (see image below).

WWebeb ThreatThreat ofof thethe DaDayy

This Web threat targets 2Wire and Banamex customers, specifically in Mexico. It is estimated that more than two million 2Wire customers are at risk of having their systems compromised. On the other hand, more than half a million customers that Banamex serves online may also be at risk of information exposure and theft.

User risks The impact for non-Trend Micro users when:

- Local DNS and server hosts are modified Domain Name System (DNS) is responsible for translating domain names into IP addresses. Modifying its settings allows the machine to visit various Web sites, which may be malicious in nature.

- Users’ systems are attacked through the threat When Domain Name System (DNS) is changed by a malware it allows access to various malicious Web sites. The affected systems are open and prone to more attacks and threats.

Trend Micro solution Trend Micro customers are protected from the harm this threat brings. All related URLs and IPs are blocked by the Web Threat Protection technology. URL and content filtering in Trend Micro products effectively blocks these kinds of threats from further spreading to networks by breaking off the infection chain. Moreover, customers are protected from being infected by the downloaded malware TROJ_QHOST.FX, as this is already detected by TM products. In addition, anti-spam security found in Trend Micro products blocks spam in real time. It also has the ability to filter and block email messages with possibly malicious URLs, further protecting customers from infection.

More information can be found in the Trend Micro Malware Blog. See the link below: http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/

For comments, questions, or suggestion, send email to: All of PH AV Technical Marketing