Trojan Variant Downloads Worm to Spread

News Article - Thursday, 03 July 2014 09:37

By: Kerry Butters Category: Security

The newest variant of the Cridex trojan, a data stealing piece of malware that targets bank accounts, has been found to self-propagate by downloading a worm to the infected machine.

The new variant is known as Geodo and it’s capable of turning every "bot in the botnet into a vehicle for infecting new targets,” according to security researchers at Seculert . Once Geodo has infected a computer, it communicates with a command and control server which in turn sends an email with a link to download the worm in a zip file.

The worm is then further provided with around 50,000 stolen SMTP account details, including server details, which it uses to target accounts by "impersonating legitimate email”.

The malware is given a batch of 20 targeted email addresses along with details such as a from address, subject line, and body text to include in dummy mail. When opened the zip file contains an executable which infects the target system with Geodo and the cycle begins all over again.

Whilst it’s not been 100% confirmed where the 500,000 stolen SMTP accounts came from, it’s thought that the Cridex trojan is the culprit. According to the researchers, Geodo has the ability to steal data and could pose a serious risk to business with regard to its intellectual property and customer data.

The researchers went on to say that Geodo is representative of the growing threat of advanced malware to the enterprise. In recent years we’ve seen increasingly sophisticated instances of malware, with no sign of any let up in what is a multi-million pound cybercrime industry across the globe.

Even more worrying is the fact that a recent report found that many companies don’t have even the most basis security protection such as antivirus and vulnerability scanning employed.

The use of security software is also on the decline, although it’s possible that this is because some businesses are moving to managed security services offered through a third party such as a MSP. Whatever the case, businesses should be aware of the huge risk they take if they ignore security issues; many never recover from a serious attack in which data is stolen.

Geodo targets mostly German and Swiss accounts and emails tend to be sent out in German. Fake invoices are a feature of the malware and users should take care not to open any zip file without scanning it first, especially since the trojan uses real email address details to send the malware.

Recent Articles