Since the weekend, our spamtraps have been receiving another spam campaign, from the Pushdo botnet - that uses a Bank of America theme. This is not the first time Pushdo has targeted Bank of America. Back in March this year, we noted Pushdo attempting to lure users into downloading a password stealing Trojan.
The new campaign looks like the following, usually referring to a “digital certificate” or “software update”:
This campaign appears to serve two purposes: for phishing, and for malware distribution. You get to give away your credentials and install some villian’s malware!
The link from the message body will open a webpage that provides you the list of needed information to get the "update". It even recommends that you call your company administrator if you don't have the information required:
If you persist and press the "Continue" button, you will be taken to this form page, which actually instructs you to ignore any potential "scripting violation" errors:
The use of VBScript in its HTML source code indicates that this campaign targets Windows Internet Explorer users:
After you have entered your credentials, you will be prompted to download an executable file which is in fact a Trojan horse that seeks to download other malware. During our initial investigation, we saw this Trojan horse downloading Virut which is a nasty device, itself capable of downloading other malware.
This is perhaps not surprising giving the fact that we have seen a Virut-Pushdo relationship before.
This attack relies on user action. There are in several places in this chain of events which should arouse suspicion. Always be wary of any message purporting to be from your bank, and especially so if it is asking for credentials or to install anything. Otherwise, you may end up compromising your computer and your banking credentials.
