A Trojan that attacks Russian Internet users using a new trick to spread itself. Known as “Bicololo” was first discovered in October 2012 and specially designed to steal login credentials from users.
For this, the malware modify the system Hosts file (i.e etc/hosts) to host perfect phishing sites via DNS poisoning to collect social networking and email credentials.
In a recent post from Avast antivirus, Bicololo continued to evolve and spread even further. Because it is difficult for a user to determine that he is redirected to a phishing site the attack going smoothly.
In Oct, They found that all these phishing sites were resolving via servers located at 126.96.36.199, 188.8.131.52 and 184.108.40.206, 220.127.116.11 , which originally were hosted on afraid.org servers.
But now this malware spreading via standard 404 Error webpage error of hacked sites. The most frequent phishing clones ofvk.com, odnoklassniki.ru and mail.ru like popular sites noticed in wind.
Once the victim with infected system types they will find fake log-in forms in browser and because none of the targeted services uses secure connections via HTTPS by default there is no simple way for user to know about the posing danger and he willingly give his password to hackers.
“The most common “stable” version comes in a self-extracting Cabinet container. Once executed, it drops four files into some strangely named Program Files subfolder, and runs them. The first dropped file is obfuscated and randomized BAT which does the actual etc/hosts injection. The other two files are Visual Basic scripts. One of them loads a text file with URL of an infection counter and sends there a message of successful infection.” Martin at Avast said.
So for spreading this, it is enough for the attackers to an existing link on the hacked site on a forum or website. Once a user clicks the link does not exist, he would normally get the 404 error and Malware will welcome you with warm codes.
Use Good Antivirus, Like AVAST and AVG. Stay tuned with us on Facebook and Twitter.