Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
This month we added Win32/Caphaw and Win32/Bepush to the Malicious Software Removal Tool (MSRT).
Caphaw is a malware family that can be used by criminals to gain access to your PC - the ultimate goal is to steal your financial or banking-related information. The graph below shows the number of machine encounters we have seen since September 2013.
Caphaw can be installed on a PC via malicious links posted on Facebook, YouTube, and Skype. It can also spread through infected removable drives and drive-by exploits.
Once installed it can use a plugin mechanism to download several other programs from its command and control server. Here are some of the plugins and routines that we have seen being downloaded:
We have seen this family targeting the customers of a range of popular banks and financial institutions. It injects into the user’s browser with data from the WebInject plugin as mentioned above. This mimics the requested bank’s website and login page. The user’s login data is then sent to servers controlled by Caphaw.
Caphaw also has capabilities beyond just stealing banking information. It allows backdoor access even if the infected machine is behind firewalls or in a private network, which is commonly seen in commercial network setups. It can also steal other data, such as FTP passwords, and files from the user’s machine.
With it’s modular plugin architecture, the malware author can develop almost any payload, and utilize Caphaw to deliver it to the infected machine.
There is more information about this family in the Win32/Caphaw description.
The best protection from this and other threats is to run an up-to-date real-time security product such as Microsoft Security Essentials.
Edgardo Diaz and Jody Koo