Websites designed to look like Classmates.com and Facebook are currently being used to distribute a password stealing Trojan, which we detect as Trj/Spyforms.BZ. Some of you may remember the Spyforms Malware family from a previous incident involving Barack Obama spam campaigns. In this most recent incident, the malicious web links are still primarily distributed via spam e-mails. Once clicked, the victim is presented with a realistic looking Classmates or Facebook website. The website contains a fake YouTube video, which prompts a dialog stating “Please Download correct Flash Movie Player! Installation: Double-click the downloaded installer. Follow the on-screen instructions!” and attempts to download a file named Adobemedia10.exe or Adobemedia11.exe.
Once installed, the Trojan intercepts network traffic in order to obtain ftp, icq, pop3, and imap passwords and then sends the data back to a server in a Hong Kong based ISP (HOSTFRESH). You may recall the last major Malware incident involving the Hong Kong based ISP, which was one of the providers involved in the malware distribution operation taking place inside of the Atrivo/Intercage network.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
