Written by: Danielle Anne Veluz

Background of the Attack


A new phishing attack that originated from Mexico takes advantage of the controversial news about an allegedly missing four-year-old girl, Paulette Gebara Farah, who was later found dead in her own bedroom. This attack was brought about by a Mexican botnet trying to steal banking/financial-related information from users.


Frequently Asked Questions


How does this threat get into users' systems?

This threat may arrive when users click URLs hosted on fake websites with news articles about four-year-old Farah. The page http://www.knijo.{BLOCKED}0.net/fotografias-al-desnudo-de-la-mama-de-paulette.htm, contains a related news article about Farah. When a user accesses this page, a fake dialog box pops up and requests the user to download and install Adobe Flash Player.

The malware can also arrive via USB devices as well as via MSN Messenger. The botnet sends out messages that either contain the file itself (as an attachment of sorts) or links that go to copies of the malware.

What happens in this attack?


In this attack, users are instructed to download and install Adobe Flash Player when prompted by the fake dialog box on the malicious site. Clicking Run leads to the download of video-de-la-mama-de-paulette.exe, the client program of a bot detected by Trend Micro as TSPY_MEXBANK.A.


Once the executable file video-de-la-mama-de-paulette.exe is executed on the affected system, the bot connects to the bot server to retrieve necessary information. This server displays the total number of zombies and a list of the compromised computers. ID numbers, client names, and executed actions are included in the list of zombies as well.


Unlike the older, more established botnet families, this botnet has a fairly comprehensive feature set. Each feature is placed in its own "module," which the botnet herder can configure one by one. It even has the option to disable or enable a bot, to start netcat (a powerful networking utility that can be used as a backdoor) on a bot, and to remove the bot from the botnet.

The pharming module in the command-and-control (C&C) server enables the botnet to target Mexican users for phishing. The botnet targets PayPal's local site and Bancomer, Mexico's largest financial institution.


Why is the attack noteworthy?


Though the botnet has recently been taken down on June 7, 2010, this attack is noteworthy due to its phishing capabilities, which tricks PayPal and Bancomer users into giving out sensitive personal information. PayPal currently has more than 150 million accounts in 190 countries and regions while Bancomer serves over 11 million customers and accounts for 30% of the total revenue of Banco Bilbao Vizcaya Argentaria (BBVA) worldwide, making it the biggest bank of the group outside Spain.


Because of the botnet's comprehensive feature set, the pharming module allows identity theft from PayPal and Bancomer users. Spoofed email messages from the supposedly legitimate companies urge the recipient to click links to update their personal profiles or to carry out some transaction. The link then takes the victims to the fake websites where the financial information they entered is directly routed to the scammer.

Aside from this, the Tequila botnet can also download files from various malicious URLs either via HTTP or FTP. It is also important to note that both ZBOT information stealers as well as FAKEAV malware have been spotted being dropped by this new family.

The botnet also enables a site to be repeatedly loaded along with that site’s advertisements. In effect, cybercriminals use this to raise the traffic to their own sites, increasing the payments made by advertising networks such as Google’s AdSense.

So what can I do to protect my computer?


It is important that users exercise caution when opening email messages and when clicking URLs. Since the malware perpetrators are constantly finding new ways to attack users, users are advised to practice safe computing habits.

Be wary of phishing pages that purport to be legitimate websites, as these are primarily designed to fool unwitting users into handing over their personal information. Clicking links on emails that come from unknown senders is one of the easiest ways to fall prey to similar attacks.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by preventing the download and execution of the related malicious file TSPY_MEXBANK.A onto affected systems via the file reputation service. It also protects users by blocking access to malicious sites via the Web reputation service. It also prevents phone-home attempts wherein an infected computer tries to upload stolen data or to download additional malware from C&C servers.

Non-Trend Micro product users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

From the Field: Expert Insights


"The common misconception about botnets is that they have global coverage. The Tequila botnet reminds us about botnets' capability for local coverage wherein bots are segmented by country, company, or specific group of people. In this case, the main target was Mexico. The secondary target was Chile for information theft (the botnet's pharming module), malware distribution, and to increase page hits for websites.
Recently, the owners themselves have taken down the botnet as the C&C server has gone offline. As of June 7, 2010, the owners themselves have taken down the botnet as the C&C server has gone offline. We have not seen any new activity out since then although we are continuing to monitor the now-orphaned bots for any new activity."

Ranieri Romera on the Tequila botnet

Related TrendLabs Malware Blog entries:

"Tequila Botnet" Targets Mexican Users