The newest variant of the Cridex trojan, a
data stealing piece of malware that targets bank accounts, has been found to
self-propagate by downloading a worm to the infected machine.
The new variant is known as Geodo and it’s
capable of turning every "bot in the botnet into a vehicle for infecting new
targets,” according to security
researchers at Seculert . Once Geodo has infected a computer, it
communicates with a command and control server which in turn sends an email
with a link to download the worm in a zip file.
The worm is then further provided with
around 50,000 stolen SMTP account details, including server details, which it
uses to target accounts by "impersonating legitimate email”.
The malware is given a batch of 20 targeted
email addresses along with details such as a from address, subject line, and
body text to include in dummy mail. When opened the zip file contains an
executable which infects the target system with Geodo and the cycle begins all
Whilst it’s not been 100% confirmed where
the 500,000 stolen SMTP accounts came from, it’s thought that the Cridex trojan
is the culprit. According to the researchers, Geodo has the ability to steal
data and could pose a serious risk to business with regard to its intellectual
property and customer data.
The researchers went on to say that Geodo
is representative of the growing threat of advanced malware to the enterprise. In
recent years we’ve seen increasingly sophisticated instances of malware, with
no sign of any let up in what is a multi-million pound cybercrime industry
across the globe.
Even more worrying is the fact that a recent
report found that many companies don’t have even the most basis security
protection such as antivirus and vulnerability scanning employed.
The use of security software is also on the
decline, although it’s possible that this is because some businesses are moving
to managed security services offered through a third party such as a MSP.
Whatever the case, businesses should be aware of the huge risk they take if
they ignore security issues; many never recover from a serious attack in which
data is stolen.
Geodo targets mostly German and Swiss
accounts and emails tend to be sent out in German. Fake invoices are a feature
of the malware and users should take care not to open any zip file without
scanning it first, especially since the trojan uses real email address details
to send the malware.