January 11th, 2006
HOSTS file hijacking and bank password stealing trojans
HOSTS file hijacking combined with bank password stealing trojans is one of the more egregious spyware tricks currently being seen. Here’s the scenario. A user is infected with a trojan and other malware that, among other things, changes the HOSTS file so that websites commonly used for online banking are redirected to the spyware pusher/thief’s site which is made to look nearly identical to the real bank site. Everyone in the anti-spyware community knows who these ISPs are.
HOSTS file hijacking can be prevented with a number of apps including several anti-spyware programs and utilities including one of my favorites, WinPatrol.
SunbeltBLOG has an excellent write up describing this trick and a video for demonstration. Host file hijacking is not new on the spyware scene and has been used by CoolWebSearch and similar groups to redirect users’ browsers to alternative search sites or adware/spyware sites. In many cases the IP address or domain being used to collect users’ IDs and passwords is located outside of the US, but in Sunbelt’s write up, the IP address is right here in River City and belongs to an ISP headquartered in Dallas, Texas, Layered Technology.
The IP address in question is 216.32.94.147, and the whois information can be seen here and here.
Savvis SAVVIS (NET-216-32-0-0-1)
216.32.0.0 - 216.35.255.255
Layered Technologies, Inc. NET-216-32-64-0 (NET-216-32-64-0-1)
216.32.64.0 - 216.32.95.255
Interestingly enough, a Google search for Layered Technologies, Inc. produces a number of links related to blacklists and spam.
The one domain residing on that IP can be seen at http://www.whois.sc/nikavonejalko.com and was registered with incomplete information to a entity in Russia. Let’s hope that Layered Technology acts responsibly and shuts down this site ASAP.
I’m preparing for a huge rant about ISPs in the US of A hosting sites running exploits, foisting spyware of the worst kind on users and in some cases hosting child porn. Everyone in the anti-spyware community knows who these ISPs are. One of them has been reported to authorities but is still up and still running CWS exploits as I type. I’m prepared to name companies and individuals, so Watch Out!
Update: This afternoon I checked the website at http:// 216.32.94.147 and it now redirects here:
http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
The fake Bank of America site has been taken down. I also received an email from a representative of Layered Technologies who seemed to think I accused them of hosting spyware, which I did not. I can’t recall an instance of finding a spyware site hosted there and Layered Technologies was not one of the ISPs I had in mind to rant about. This link mentions one of the ISPs I do have in mind.
