English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Benign Feature, Malicious Use

Fabio Assolini
Kaspersky Lab Expert
Posted April 08, 17:28  GMT
Tags: Internet Banking
0.5
 

An interesting and unknown feature used by sysadmins around the world in some large corporate networks is the use of proxy-auto config (pac) files. This benign feature is accepted by all modern browsers and is described in detail here. It contains a function to redirect your connection to a specific proxy server.

Unfortunately this simple and smart proxy technique are being largely used by brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions. A .pac script URL is configured in the browser, in the field “Use automatic configuration script”:


Here an example of a malicious .pac file in the wild:


After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.

A lot of the Brazilian malware is using this trick nowadays. Not only Internet Explorer users are affected, but also users of Firefox and Chrome. The malware changes the file prefs.js, inserting the malicious proxy in it:


And finally to make sure the malicious proxy will be not removed by the user, a malicious DLL is inserted on initialization by rundll32.exe to always rewrite the proxy, if removed.
This particular family of malware is detected and removed by our products with names such as Trojan.Bat.Proxy.

7 comments

Oldest first
Table view
 

Baz Jafar

2010 Apr 11, 03:33
0
 

Detection of malicious .pac file requests

Could it be possible for example to implement some sort of string matching for the Web AV module of Kaspersky products to proactively detect a "malicious" .pac file (as opposed to blacklisting the URL)?

I am assuming that the request to fetch the configuration file will be processed by WebAV and this could provide another "protection" layer to the user in case the behaviour of the dropper is not detected. At least if the user is constantly having requests to that website blocked for some "HEUR" detection they will realise that there is something untoward on their machine and seek help removing it.

Reply    

Dmitry Bestuzhev

2010 Apr 12, 19:37
5
 

Re: Detection of malicious .pac file requests

KIS 2010 detects such things as PDM.BSS

Reply    

Ammar Musayyer

2010 Apr 13, 14:44
1
 

Does Kasperky detect .ZIP file logs?

I am using windows vista ultima and, does Kasperky Internet Security detect ZIP.CRA.BAT file viruses? I heard about this type of virus, it steals card numbers. Heard about it from a friend of a friend who is a 'virus expert'. He said it's a new type of virus. Please reply. I'm a newbie here! =) ( I know I am posting this comment in the wrong page, I just need to know what is this virus.)

Reply    

Baz Jafar

2010 Apr 13, 18:03
1
 

Re: Re: Detection of malicious .pac file requests

Dmitry, thank you for your reply.

It is good to know that the PDM.BSS detection is being put to good use. I have not found any documentation describing this technology, but it has usually only been triggered in my testing during "Fake-av" type infections, so it is reassuring to know that it covers other malware family behaviours too.

Reply    

Baz Jafar

2010 Apr 13, 18:05
0
 

Re: Does Kasperky detect .ZIP file logs?

Hi Ammar,

It is hard to say what this virus does just from the name of the file, but by the extension it suggests that this is a batch file, a script that executes commands on the machine it is being run on.

Kaspersky does not discriminate against malware and will detect all malware which is known to it..so if you have a file sample of what you think is malware and it is not detected, submit it to the viruslab using this form: http://support.kaspersky.com/virlab/helpdesk.html

Reply    

Graham Perrin

2010 Aug 11, 12:43
0
 

Does this family affect users of Mac OS X?

> This particular family of malware is detected and removed by our products with
> names such as Trojan.Bat.Proxy.

Are users of Firefox and Chrome on Mac OS X affected?

What about Safari?

Reply    

Fabio Assolini

2010 Sep 03, 07:09
0
 

Re: Does this family affect users of Mac OS X?

No, this trojan was made initially to Windows

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog