NEWS FROM THE LAB - Monday, May 5, 2008

BBB Case #947344536 Posted by Mikko @ 16:05 GMT

We're seeing some new BBB trojan attacks going around.

This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.

The message looks like this:


This would be fairly convincing to most recipients, especially since the real company and individual names are used.

The message links to a page under us-bbb.com (the real BBB site is at us.bbb.org).


The site was running over the weekend, was down today on Monday and then just reappeared — with a modified version of the malware.

If the recipient enables ActiveX, the site sends the system a CAB file which gets automatically installed as Acrobat.exe — and displays this:


In reality, it's just installed a backdoor (which we detect as an Agent variant).

Nasty stuff. Watch out.