English
EspañolVideo: Kalimba was abused by an agent, it spreads Pharming attack
It was reported to UNAM – CERT about a malicious file spread by alleged notes from El Universal. The article describes the supposed rape of singer Kalimba in a jail cell where he is at this moment.
The site www.soccerluck.com/xxxxxxxxx/001.SWF downloads a malicious file .exe, this site is hosted in the state of New York, USA.
The malware was programmed in VisualBasic and it contains an embedded pharming attack.
Analyzing in the lab, the malware opens the default web browser with the site, which during the analysis was not neither available nor showed any information. Frikinternet is hosted in Catalonia, España.
During the malware's execution in the lab, the sniffer shows that it was only requesting DNS queries to www.frikinternet and the IP address, which is replied in order to request a query to the page with the GET instruction /Kalimba/Prison Mexico and the site replies with the error 404 Not Found.
In the PC is modified the hosts file, finally to leave the attack victim user.
So far, the code is not recognized by any antivirus solution, the site is hosted in Berlin, Germany and the requested sites are still active.
