Pharming in the wild

My SPAM folder is an unbeatable source of malware, I think better than the honeynet project (JK); last week I found an e-mail with an interesting subject "Combate al robo de combustible" loosely translated "Fighting the gas rip-off", let me explain, in Mexico there are some gas station pumps that dispense less fuel than what you're paying for, you pay for 1 L but you get, let's say 900 ml (or less). Well, there is a study on this topic and a list of gas stations that rip you off.

Back to the e-mail stuff, it was supposedly sent by the "Tec de Monterrey" (private university in Mexico), it seems to be fake.
And it includes a link to a file that pretends to be the list of gas stations (Gasolinera.rar); inside this rar is contained a "gasolineras.exe" file with md5 hash: f5e9203e2d799cc98016db11a1832880.


It was evident this file was malware, but I always upload suspicious files to virustotal before start a deeper analysis (to save efforts in case of an existing malware), but reported nothing. Then I sent a copy of the file to the malware team at UNAM-CERT for analysis, at the same time I was trying to reverse-engineer the code to highlight the main activities of this malware.

The file has interesting strings:

Gasolineraxc
SeguridadBanamex
Gasolineras
ProductName
SeguridadBanamex
FileVersion
1.00
ProductVersion
1.00

This malware add entries to the "C:\WINDOWS\system32\drivers\etc\hosts" file, specifically:

209.40.195.154 banamex.com
209.40.195.154 www.banamex.com
209.40.195.154 banamex.com.mx
209.40.195.154 www.banamex.com.mx
72.249.77.180 www.bancanetempresarial.banamex.com.mx
209.40.195.154 bancanetempresarial.banamex.com.mx
209.40.195.154 boveda.banamex.com
209.40.195.154 www.boveda.banamex.com

This kind of attack is known as "PHARMING" and will fool the browser and other applications into resolving to fake internet portals, mainly online banks. This means, that when I type www.banamex.com at the browser, the system will go to check the hosts file, the malware previosly added the entry, so the www.banamex.com domain now belongs to the IP: 209.40.195.154, and of course the attacker has control over this IP.

The antivirus fails to detect this malware as potentially unwanted because doesn't open TCP ports, doesn't add entries to the windows registry and doesn't spy hardware interruptions (among other hacking activities), needless to say it's a very NASTY attack.

The details maybe quite technical for some people, but let's make an analogy: An attacker overwrites the yellowpages book, so when you try to reach Domino's pizza by phone you get in fact the number of Pizza hut.

So, how can I protect myself?, ALWAYS check the SSL certificate when browsing online banks, no matter you type directly the URL in the browser, and NEVER execute files received as attachment, even if antivirus says it's ok.