Anatomy of a malicious host file hijack

Just for kicks and giggles, Patrick Jordan took apart a host file hijack that resulted in an obscenely accurate spoof of a Bank of America site — and a large number of other financial institutions.

Here’s how the Bank of America site looks like before the hijack:

Here’s what it looks like after.  It’s very convincing:

(Notice the new IP number.)

Here are the host file modifications that were made:

O1 – Hosts: 216.32.94.147 www.bankone.com
O1 – Hosts: 216.32.94.147 bankone.com
O1 – Hosts: 216.32.94.147 halifax.com
O1 – Hosts: 216.32.94.147 www.halifax.com
O1 – Hosts: 216.32.94.147 halifax.co.uk
O1 – Hosts: 216.32.94.147 www.halifax.co.uk
O1 – Hosts: 216.32.94.147 www.bankofamerica.com
O1 – Hosts: 216.32.94.147 bankofamerica.com
O1 – Hosts: 216.32.94.147 www.paypal.com
O1 – Hosts: 216.32.94.147 paypal.com
O1 – Hosts: 216.32.94.147 www.lloydstsb.com
O1 – Hosts: 216.32.94.147 lloydstsb.com
O1 – Hosts: 216.32.94.147 www.lloydstsb.co.uk
O1 – Hosts: 216.32.94.147 lloydstsb.co.uk
O1 – Hosts: 216.32.94.147 www.bbvanet.com
O1 – Hosts: 216.32.94.147 bbvanet.com
O1 – Hosts: 216.32.94.147 www.bancopostaonline.poste.it
O1 – Hosts: 216.32.94.147 bancopostaonline.poste.it
O1 – Hosts: 216.32.94.147 www.poste.it
O1 – Hosts: 216.32.94.147 poste.it
O1 – Hosts: 216.32.94.147 www.credem.it
O1 – Hosts: 216.32.94.147 credem.it
O1 – Hosts: 216.32.94.147 www.creval.it
O1 – Hosts: 216.32.94.147 creval.it
O1 – Hosts: 216.32.94.147 www.gruppocarige.it
O1 – Hosts: 216.32.94.147 gruppocarige.it
O1 – Hosts: 216.32.94.147 www.rasbank.it
O1 – Hosts: 216.32.94.147 rasbank.it
O1 – Hosts: 216.32.94.147 www.bancagenerali.it
O1 – Hosts: 216.32.94.147 bancagenerali.it
O1 – Hosts: 216.32.94.147 www.garanti.com.tr
O1 – Hosts: 216.32.94.147 garanti.com.tr
O1 – Hosts: 216.32.94.147 www.kocbank.com.tr
O1 – Hosts: 216.32.94.147 kocbank.com.tr
O1 – Hosts: 216.32.94.147 www.disbank.com.tr
O1 – Hosts: 216.32.94.147 disbank.com.tr
O1 – Hosts: 216.32.94.147 www.cassarimini.it
O1 – Hosts: 216.32.94.147 cassarimini.it
O1 – Hosts: 216.32.94.147 www.unicredit.it
O1 – Hosts: 216.32.94.147 unicredit.it
O1 – Hosts: 216.32.94.147 www.chase.com
O1 – Hosts: 216.32.94.147 chase.com
O1 – Hosts: 216.32.94.147 www.southtrust.com
O1 – Hosts: 216.32.94.147 southtrust.com
O1 – Hosts: 216.32.94.147 www.wachovia.com
O1 – Hosts: 216.32.94.147 wachovia.com
O1 – Hosts: 216.32.94.147 www.wellsfargo.com
O1 – Hosts: 216.32.94.147 wellsfargo.com
O1 – Hosts: 216.32.94.147 www.barclays.co.uk
O1 – Hosts: 216.32.94.147 barclays.co.uk
O1 – Hosts: 216.32.94.147 www.barclays.com
O1 – Hosts: 216.32.94.147 barclays.com
O1 – Hosts: 216.32.94.147 www.barclays.pt
O1 – Hosts: 216.32.94.147 barclays.pt
O1 – Hosts: 216.32.94.147 www.barclays.pt
O1 – Hosts: 216.32.94.147 barclays.pt
O1 – Hosts: 216.32.94.147 online.cassarimini.it
O1 – Hosts: 216.32.94.147 www.bancacarim.it
O1 – Hosts: 216.32.94.147 bancacarim.it
O1 – Hosts: 216.32.94.147 www.citi.com
O1 – Hosts: 216.32.94.147 citi.com
O1 – Hosts: 216.32.94.147 www.citibank.com
O1 – Hosts: 216.32.94.147 citibank.com
O1 – Hosts: 216.32.94.147 www.etrade.com
O1 – Hosts: 216.32.94.147 etrade.com
O1 – Hosts: 216.32.94.147 www.neteller.com
O1 – Hosts: 216.32.94.147 neteller.com
O1 – Hosts: 216.32.94.147 tcfbank.com
O1 – Hosts: 216.32.94.147 www.tcfbank.com
O1 – Hosts: 216.32.94.147 hsbc.com
O1 – Hosts: 216.32.94.147 www.hsbc.com
O1 – Hosts: 216.32.94.147 hsbc.co.uk
O1 – Hosts: 216.32.94.147 www.hsbc.co.uk

216.32.94.147 is hosted in the United States.

I ran the trojan through Virustotal.com and a number of AV companies detect it.  You can see the results below (“No virus found” means that the antivirus engine did not detect the trojan I submitted):

(Graphic here.)

Interested in more?  Watch this video here.

Alex Eckelberry