Backdoor trojan for credit card and other online thefts spreading at a fast rate

A recent SQL injection attack has compromised about 170,000 websites. This result was found by searching the trojan on Google. Four days back, the results were found to be 125,000 and as of today the search gave 170,000 results. Amazingly enough, Yahoo and bing searches yielded 287,000 and 146,000 results respectively.

Mary Landesman has given the following explanation on SafeScan blog:

When users visit a compromised Web page, the injected iframe executes a script that creates a new iframe to That iframe (a.htm) does 2 things:

  • Loads a second iframe from;
  • Loads a script: (used for tracking).

The iframe then:

  • Creates a third iframe pointing to;
  • Loads a script: (similar to above, but different tracking number);
  • If <noscript> it has an href tag that points to with an img src of

All fairly common techniques. But once it gets to share.html, things get interesting. As its name implies, share.html is acting as a master file to include other components of the attack. Over a dozen other script files are called through a convoluted chain of iframes and src references largely dependent on the browser type, version of Flash, and related criteria.

If the above exploitation is successful, Backdoor.Win32.Buzus.croo malware is copied to the target PC which can be used to remotely control the program and use it for credit card or banking thefts.

From Virus Total, 22 out of 40 antivirus have been able to detect the Trojan successfully.

Check if your antivirus can save you from the attack!

Write an email to the author of this post at

, , , , ,

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>