Warning: This post contains Malware, pay attention!!!!
The site hxxp://bankofamerica.ulmb.com/do.php?cmd=SignIn (spreaded with Spam Mail) contains a Malware, not explicitly linked.
I’ve used Malzilla to inspect URL content, a suspicious message appears:
Browser Update Required!
This web site uses functions which is not compatible with your current browser version To update your browser please install the requiredupdate to view this page.
Very strange, that no checks about the compatibility are performed before this message, so let’s inspect further..
<script type=”text/javascript”>
var myf_1 = 60;
…
var myf_10 = “1”;
var myf_11 = “82SSN573-38NN-482N-99NQ-91S697O91631”;
var myf_12 = “uggc://jjj.svyr2lbh.arg/nccyrg.pno”;
These two strings seems to be Obfuscated Links , let’s see the rest of the Evil Code, have a function dc(str), that decodes with an easy algorithm (ROT-13 Encryption) an encrypted string, next we have a function install_ff_result() and function install_ff_ext() that installates FireFox Extension.
Now the extension file is taken from a supect source, file2you, a bit poor for Banks of America, you don’t think? 🙂
So let’s see what are the obfuscated links:
hxxp://www.file2you.net/{censored against lamah}.cab
and
hxxp://www.file2you.net/{censored or lamah}.xpi
Both these links contains the same Malware.
In the next post, i’ll report what this Malware FF Extension does..
See you to the next post 🙂