Select Page

Just for kicks and giggles, Patrick Jordan took apart a host file hijack that resulted in an obscenely accurate spoof of a Bank of America site — and a large number of other financial institutions.

Here’s how the Bank of America site looks like before the hijack:

Bofaoriginal

Bofaping

Here’s what it looks like after.  It’s very convincing:

Bofawebpagechanged

Bofachanged

(Notice the new IP number.)

Here are the host file modifications that were made:

O1 – Hosts: 216.32.94.147 www.bankone.com
O1 – Hosts: 216.32.94.147 bankone.com
O1 – Hosts: 216.32.94.147 halifax.com
O1 – Hosts: 216.32.94.147 www.halifax.com
O1 – Hosts: 216.32.94.147 halifax.co.uk
O1 – Hosts: 216.32.94.147 www.halifax.co.uk
O1 – Hosts: 216.32.94.147 www.bankofamerica.com
O1 – Hosts: 216.32.94.147 bankofamerica.com
O1 – Hosts: 216.32.94.147 www.paypal.com
O1 – Hosts: 216.32.94.147 paypal.com
O1 – Hosts: 216.32.94.147 www.lloydstsb.com
O1 – Hosts: 216.32.94.147 lloydstsb.com
O1 – Hosts: 216.32.94.147 www.lloydstsb.co.uk
O1 – Hosts: 216.32.94.147 lloydstsb.co.uk
O1 – Hosts: 216.32.94.147 www.bbvanet.com
O1 – Hosts: 216.32.94.147 bbvanet.com
O1 – Hosts: 216.32.94.147 www.bancopostaonline.poste.it
O1 – Hosts: 216.32.94.147 bancopostaonline.poste.it
O1 – Hosts: 216.32.94.147 www.poste.it
O1 – Hosts: 216.32.94.147 poste.it
O1 – Hosts: 216.32.94.147 www.credem.it
O1 – Hosts: 216.32.94.147 credem.it
O1 – Hosts: 216.32.94.147 www.creval.it
O1 – Hosts: 216.32.94.147 creval.it
O1 – Hosts: 216.32.94.147 www.gruppocarige.it
O1 – Hosts: 216.32.94.147 gruppocarige.it
O1 – Hosts: 216.32.94.147 www.rasbank.it
O1 – Hosts: 216.32.94.147 rasbank.it
O1 – Hosts: 216.32.94.147 www.bancagenerali.it
O1 – Hosts: 216.32.94.147 bancagenerali.it
O1 – Hosts: 216.32.94.147 www.garanti.com.tr
O1 – Hosts: 216.32.94.147 garanti.com.tr
O1 – Hosts: 216.32.94.147 www.kocbank.com.tr
O1 – Hosts: 216.32.94.147 kocbank.com.tr
O1 – Hosts: 216.32.94.147 www.disbank.com.tr
O1 – Hosts: 216.32.94.147 disbank.com.tr
O1 – Hosts: 216.32.94.147 www.cassarimini.it
O1 – Hosts: 216.32.94.147 cassarimini.it
O1 – Hosts: 216.32.94.147 www.unicredit.it
O1 – Hosts: 216.32.94.147 unicredit.it
O1 – Hosts: 216.32.94.147 www.chase.com
O1 – Hosts: 216.32.94.147 chase.com
O1 – Hosts: 216.32.94.147 www.southtrust.com
O1 – Hosts: 216.32.94.147 southtrust.com
O1 – Hosts: 216.32.94.147 www.wachovia.com
O1 – Hosts: 216.32.94.147 wachovia.com
O1 – Hosts: 216.32.94.147 www.wellsfargo.com
O1 – Hosts: 216.32.94.147 wellsfargo.com
O1 – Hosts: 216.32.94.147 www.barclays.co.uk
O1 – Hosts: 216.32.94.147 barclays.co.uk
O1 – Hosts: 216.32.94.147 www.barclays.com
O1 – Hosts: 216.32.94.147 barclays.com
O1 – Hosts: 216.32.94.147 www.barclays.pt
O1 – Hosts: 216.32.94.147 barclays.pt
O1 – Hosts: 216.32.94.147 www.barclays.pt
O1 – Hosts: 216.32.94.147 barclays.pt
O1 – Hosts: 216.32.94.147 online.cassarimini.it
O1 – Hosts: 216.32.94.147 www.bancacarim.it
O1 – Hosts: 216.32.94.147 bancacarim.it
O1 – Hosts: 216.32.94.147 www.citi.com
O1 – Hosts: 216.32.94.147 citi.com
O1 – Hosts: 216.32.94.147 www.citibank.com
O1 – Hosts: 216.32.94.147 citibank.com
O1 – Hosts: 216.32.94.147 www.etrade.com
O1 – Hosts: 216.32.94.147 etrade.com
O1 – Hosts: 216.32.94.147 www.neteller.com
O1 – Hosts: 216.32.94.147 neteller.com
O1 – Hosts: 216.32.94.147 tcfbank.com
O1 – Hosts: 216.32.94.147 www.tcfbank.com
O1 – Hosts: 216.32.94.147 hsbc.com
O1 – Hosts: 216.32.94.147 www.hsbc.com
O1 – Hosts: 216.32.94.147 hsbc.co.uk
O1 – Hosts: 216.32.94.147 www.hsbc.co.uk

216.32.94.147 is hosted in the United States.

I ran the trojan through Virustotal.com and a number of AV companies detect it.  You can see the results below (“No virus found” means that the antivirus engine did not detect the trojan I submitted):

Antivirus Version Result
NOD32v2 1.1362 Win32/TrojanDownloader.Small.ARJ
Norman 5.70.10 W32/Downloader
Kaspersky 4.0.2.24 Trojan-Downloader.Win32.Small.arj
BitDefender 7.2 Trojan.Downloader.Smalldldr.A
DrWeb 4.33 Trojan.DownLoader.5860
VBA32 3.10.5 Trojan.DownLoader.5860
AntiVir 6.33.0.77 TR/Dldr.Smalldldr.A
Avira 6.33.0.77 TR/Dldr.Smalldldr.A
Panda 9.0.0.4 Suspicious file
Fortinet 2.54.0.0 PossibleThreat
Ewido 3.5 Downloader.Small.arj
AVG 718 Downloader.Generic.OZZ
F-Prot 3.16c Could be infected with an unknown virus 
Avast 4.6.695.0 No virus found
CAT-QuickHeal 8 No virus found
ClamAV devel-20051123 No virus found
eTrust-Iris 7.1.194.0 No virus found
eTrust-Vet 12.4.1.0 No virus found
Ikarus 0.2.59.0 No virus found
Sophos 4.01.0 No virus found
Symantec 8 No virus found
TheHacker 5.9.2.071 No virus found
UNA 1.83 No virus found
McAfee 4672 No virus found

(Graphic here.)

Interested in more?  Watch this video here.

 

Alex Eckelberry