A Trojan malware targeting banks now poses an even bigger threat by using compromised websites that infect visitors’ computer systems.
Computer security firm BitDefender said the sites open a seemingly innocent HTML page detected as Trojan.JS.QOS, which asks visitors to “Please wait while page is loading.”
BitDefender said the page actually contains a tricky JavaScript that redirects users to another malicious JavaScript file detected as Trojan.JS.Redirector.YF.
Zbot a.k.a Zeus, ZeusBot or WSNPoem, is a banker Trojan with backdoor and server capabilities. It collects bank-related information, login data, history of the visited Web sites and other sensitive details. Some versions may even snatch screenshots of the compromised machine’s desktop.
“It appears this malicious JS file has been planted on a multitude of servers that host otherwise clean websites, probably as a result of FTP credentials theft. This script has the sole purpose of redirecting the user to the exploit page, the final stop in this redirection trip,” it said in a blog post.
The second HTML page, detected as Trojan.HTML.Downloader.Agent.NBF, embeds a Java applet (Exploit.Java.CVE-2010-0840.P) to download and install a Zbot variant (Trojan.Zbot.HTQ) on the compromised systems.
BitDefender has made available a removal tool for free download and use. It can be downloaded from the Removal Tools section of its Malwarecity.com website.
In the meantime, it advised computer users not to click on just any old site.
“Most importantly, if a website redirects you towards another web location, close it at once. Last but not least, keep your Java Runtime updated at all times,” it said. — TJD, GMA News
source: gmanetwork.com
