Anatomy of a malicious host file hijack
Just for kicks and giggles, Patrick Jordan took apart a host file hijack that resulted in an obscenely accurate spoof of a Bank of America site — and a large number of other financial institutions.
Here’s how the Bank of America site looks like before the hijack:
Here’s what it looks like after. It’s very convincing:
(Notice the new IP number.)
Here are the host file modifications that were made:
O1 - Hosts: 216.32.94.147 www.bankone.com
O1 - Hosts: 216.32.94.147 bankone.com
O1 - Hosts: 216.32.94.147 halifax.com
O1 - Hosts: 216.32.94.147 www.halifax.com
O1 - Hosts: 216.32.94.147 halifax.co.uk
O1 - Hosts: 216.32.94.147 www.halifax.co.uk
O1 - Hosts: 216.32.94.147 www.bankofamerica.com
O1 - Hosts: 216.32.94.147 bankofamerica.com
O1 - Hosts: 216.32.94.147 www.paypal.com
O1 - Hosts: 216.32.94.147 paypal.com
O1 - Hosts: 216.32.94.147 www.lloydstsb.com
O1 - Hosts: 216.32.94.147 lloydstsb.com
O1 - Hosts: 216.32.94.147 www.lloydstsb.co.uk
O1 - Hosts: 216.32.94.147 lloydstsb.co.uk
O1 - Hosts: 216.32.94.147 www.bbvanet.com
O1 - Hosts: 216.32.94.147 bbvanet.com
O1 - Hosts: 216.32.94.147 www.bancopostaonline.poste.it
O1 - Hosts: 216.32.94.147 bancopostaonline.poste.it
O1 - Hosts: 216.32.94.147 www.poste.it
O1 - Hosts: 216.32.94.147 poste.it
O1 - Hosts: 216.32.94.147 www.credem.it
O1 - Hosts: 216.32.94.147 credem.it
O1 - Hosts: 216.32.94.147 www.creval.it
O1 - Hosts: 216.32.94.147 creval.it
O1 - Hosts: 216.32.94.147 www.gruppocarige.it
O1 - Hosts: 216.32.94.147 gruppocarige.it
O1 - Hosts: 216.32.94.147 www.rasbank.it
O1 - Hosts: 216.32.94.147 rasbank.it
O1 - Hosts: 216.32.94.147 www.bancagenerali.it
O1 - Hosts: 216.32.94.147 bancagenerali.it
O1 - Hosts: 216.32.94.147 www.garanti.com.tr
O1 - Hosts: 216.32.94.147 garanti.com.tr
O1 - Hosts: 216.32.94.147 www.kocbank.com.tr
O1 - Hosts: 216.32.94.147 kocbank.com.tr
O1 - Hosts: 216.32.94.147 www.disbank.com.tr
O1 - Hosts: 216.32.94.147 disbank.com.tr
O1 - Hosts: 216.32.94.147 www.cassarimini.it
O1 - Hosts: 216.32.94.147 cassarimini.it
O1 - Hosts: 216.32.94.147 www.unicredit.it
O1 - Hosts: 216.32.94.147 unicredit.it
O1 - Hosts: 216.32.94.147 www.chase.com
O1 - Hosts: 216.32.94.147 chase.com
O1 - Hosts: 216.32.94.147 www.southtrust.com
O1 - Hosts: 216.32.94.147 southtrust.com
O1 - Hosts: 216.32.94.147 www.wachovia.com
O1 - Hosts: 216.32.94.147 wachovia.com
O1 - Hosts: 216.32.94.147 www.wellsfargo.com
O1 - Hosts: 216.32.94.147 wellsfargo.com
O1 - Hosts: 216.32.94.147 www.barclays.co.uk
O1 - Hosts: 216.32.94.147 barclays.co.uk
O1 - Hosts: 216.32.94.147 www.barclays.com
O1 - Hosts: 216.32.94.147 barclays.com
O1 - Hosts: 216.32.94.147 www.barclays.pt
O1 - Hosts: 216.32.94.147 barclays.pt
O1 - Hosts: 216.32.94.147 www.barclays.pt
O1 - Hosts: 216.32.94.147 barclays.pt
O1 - Hosts: 216.32.94.147 online.cassarimini.it
O1 - Hosts: 216.32.94.147 www.bancacarim.it
O1 - Hosts: 216.32.94.147 bancacarim.it
O1 - Hosts: 216.32.94.147 www.citi.com
O1 - Hosts: 216.32.94.147 citi.com
O1 - Hosts: 216.32.94.147 www.citibank.com
O1 - Hosts: 216.32.94.147 citibank.com
O1 - Hosts: 216.32.94.147 www.etrade.com
O1 - Hosts: 216.32.94.147 etrade.com
O1 - Hosts: 216.32.94.147 www.neteller.com
O1 - Hosts: 216.32.94.147 neteller.com
O1 - Hosts: 216.32.94.147 tcfbank.com
O1 - Hosts: 216.32.94.147 www.tcfbank.com
O1 - Hosts: 216.32.94.147 hsbc.com
O1 - Hosts: 216.32.94.147 www.hsbc.com
O1 - Hosts: 216.32.94.147 hsbc.co.uk
O1 - Hosts: 216.32.94.147 www.hsbc.co.uk
216.32.94.147 is hosted in the United States.
I ran the trojan through Virustotal.com and a number of AV companies detect it. You can see the results below (“No virus found” means that the antivirus engine did not detect the trojan I submitted):
| Antivirus | Version | Result |
| NOD32v2 | 1.1362 | Win32/TrojanDownloader.Small.ARJ |
| Norman | 5.70.10 | W32/Downloader |
| Kaspersky | 4.0.2.24 | Trojan-Downloader.Win32.Small.arj |
| BitDefender | 7.2 | Trojan.Downloader.Smalldldr.A |
| DrWeb | 4.33 | Trojan.DownLoader.5860 |
| VBA32 | 3.10.5 | Trojan.DownLoader.5860 |
| AntiVir | 6.33.0.77 | TR/Dldr.Smalldldr.A |
| Avira | 6.33.0.77 | TR/Dldr.Smalldldr.A |
| Panda | 9.0.0.4 | Suspicious file |
| Fortinet | 2.54.0.0 | PossibleThreat |
| Ewido | 3.5 | Downloader.Small.arj |
| AVG | 718 | Downloader.Generic.OZZ |
| F-Prot | 3.16c | Could be infected with an unknown virus |
| Avast | 4.6.695.0 | No virus found |
| CAT-QuickHeal | 8 | No virus found |
| ClamAV | devel-20051123 | No virus found |
| eTrust-Iris | 7.1.194.0 | No virus found |
| eTrust-Vet | 12.4.1.0 | No virus found |
| Ikarus | 0.2.59.0 | No virus found |
| Sophos | 4.01.0 | No virus found |
| Symantec | 8 | No virus found |
| TheHacker | 5.9.2.071 | No virus found |
| UNA | 1.83 | No virus found |
| McAfee | 4672 | No virus found |
(Graphic here.)
Interested in more? Watch this video here.
Alex Eckelberry
<< Home