IE 11 is not supported. For an optimal experience visit our site on another browser.

Brazilian Banking Trojan Poses as Microsoft Anti-Malware Tool

A new and nasty banking Trojan is wreaking havoc on Windows systems by removing built-in security software and clearing a path for crooks to silently steal victims' banking credentials.
/ Source: SecurityNewsDaily

A new and nasty banking Trojan is wreaking havoc on Windows systems by removing built-in security software and clearing a path for crooks to silently steal victims' banking credentials.

The Trojan affects "ntldr," the default boot loader on Windows machines, explained Kaspersky Lab expert Fabio Assolini. Identified as Trojan-Downloader.Win32.VB.aoff, the Trojan originated in Brazil, and spreads as a link attached to emails.

Once users click on the malicious link, the Trojan downloads two malicious files from Amazon's Web Services cloud. These files, called "xp-msantivirus" and "xp-msclean," worm their way onto the PC's bootloader, a component that gets executed prior to the startup of the computer's operating system. From there, the files embark on a catastrophic, and covert, campaign.

The malicious files' intentions are in their names: advertised as msantivirus and msclean, they are made to looks like legitimate Microsoft anti-virus and computer cleanup tools, but in effect, they are exactly the opposite.

When these files attack the Microsoft ntldr bootloader, they replace it with a new, malicious one, a version of GRUB, an open-source bootloader, which they tailor to execute their commands. Without drawing attention to itself, the new bootloader boots the computer into Linux or Unix software that removes a common Brazilian bank-security plugin, while also getting rid of the system's built-in Microsoft security software, opening it up to a slew of potential viruses and attacks.

This devious switch happens before the computer has even started up; and worse, it automatically erases itself and resets the original bootloader, so victims have no idea their security has been compromised. All they're aware of during this whole bait-and-switch is that the startup is taking a little longer than usual, but the attack accounts for that with a phony message claiming to be from Microsoft that says it is actually "removing malicious files."

The safest way to avoid falling victim to a dangerous attack like this is to run up-to-date and comprehensive anti-virus and anti-malware software on your computer, and to be skeptical about downloading any files attached to emails.