We at K7 TCL came across an interesting source for a malware file to be hosted on. The site hosting the malware was the official fan site of the famous Indian playback singer Sonu Nigam.
This file has been up in the server for almost a month now. Users must exercise caution when they happen to download an executable file from a fan site that has remotely no purpose of distributing executable files to its visitors.
The malware file upon execution has capabilities to read saved passwords from a user’s internet browser, Mozilla Firefox, to be specific. It tries to read data from ‘signons[number].txt’ file found in the Firefox directory.
This text file holds the user’s logon information for websites for which the user has set ‘Remember Password’ in Firefox. Now imagine the scale of damage this could cause if the infected machine was a public computer at an internet café.
Following simple practices whenever you use a public computer would save you from such threats:
- Never save your logon information on public computers
- Always clear the history and cache before leaving the computer, or you could use the private browsing session option available in most modern browsers
- If possible use portable applications, these are applications that run out of a pen drive
- Avoid entering any kind of sensitive information on a public computer
For our customers though, it’s just a one step process: keep your antivirus definitions up to date. K7TotalSecurity detects this file, as Trojan ( 001987931 )
The server hosting the fan site has been clearly compromised. The administrators of the compromised domain have been intimated about the impending damage they might be causing to unsuspecting fans.