Dangerous Fake e-Bay Toolbar - Opens up PC for Remote Control
AVERT labs is documenting a new fake toolbar that is circulating and while it provides legitimate functionality for e-Bay users, it also has a hidden agent that will install a remote control account with full administrative rights.Thebad guys can then secretly logon to the infected PC with full access to any files that might be found there :eek::eek::eek:
It is a good practice to avoid all toolbars, as they can slow down browser performance. Also some of the toolbars offered, are malware attacks in disquise as in this case.
QUOTE: We received a sample recently from a customer. Its file name, ToolbarSetup.exe, implies it may be toolbar installer. Upon execution, it displays the eBay toolbar EULA and the installation interface. And this program does indeed install the eBay toolbar.
This file silently opens TCP port 3389, which is by default the port for Terminal Services. It creates a new account ”eBayMember” with Administrator privileges and enables this account to remotely access the infected machine. The created account is also hidden from login screen, to prevent the victim from noticing.
Then the remote access ability of the compromised machine was verified by using the user name and password defined in the malicious .vbs file, as illustrated below. A successful login suggests the infected machine could be completely controlled by a remote attacker.