Highlander bot: There can be only one?

Your wife is always right, reported PandaLabs Luis Corrons after "bot shopping with his wife." The tale is humorous, but the botnet is not. It's more than an elaborate phishing fake order confirmation; it's nasty and malicious, crafted to steal everything. The bot creators may be fans of the film Highlander as this bot will remove any other bots, malware, or Trojans . . . so in the end there can be only one.

"There can be only one." . . . There's nothing stranger than the truth and while the story behind a vicious new bot is a bit humorous, the malware most assuredly is not. The bot creators may have maliciously crafted the bot with a hat tip to the movie Highlander as this is "one bot to dominate them all."

Most everyone shops online, but not all couples shop online together, so the security headline "Bot shopping with my wife" snagged my attention. Luis Corrons, technical director at PandaLabs, related a tale in which he walked away with lessons learned, including, "Your wife is always right, and in case she tells you something you don't have to ask about it anymore."

A new bot, Ainslot.L, is designed to steal everything. PandaSecurity reported, "This malware is designed to log user activities, download additional malware and take control of the system. Additionally, it acts as a banker Trojan, stealing log-in information related to banks. It also scans the computer looking for and removing other bots so that it becomes the only bot on the system."

Corrons' wife told him that she received a purchase confirmation email for clothing that she had not bought at the UK clothing company CULT. At first he blew it off as he thought, "How can she even remember what she bought? She buys thousands of clothes online, probably she doesn't remember it, this wouldn't be the first time."

Ah but she persisted, so after the 1,000th time she insisted she hadn't bought anything from that store, Corrons looked at what seemed to be a legit message. When he asked her one more time if she was sure she hadn't made a purchase, Corrons said, "She looked at me in a way that only your better half can do, and at that moment I understood that my life was in risk if I dare to ask again."

Often in phishing emails, English is not the social engineer's native language . . . but such is not the case for the cybercrooks behind the fake CULT order confirmation. This phishing email is elaborate and believable. If you click the URL to view the order, as many people might do especially since they didn't make any such purchase, you are directed to download what appears to be an Acrobat icon for a PDF copy of the purchase. However, the file is actually an EXE executable file which creates a registry entry under the name "Windows Defender" so it looks legit. It will be executed each time the computer boots and the changed values in the registry allow it to bypass the firewall.

Corrons wrote, "Once you have done it... bad news, this is a nasty Trojan with bot capabilities. It is designed to steal all kind of personal information: from Bank of America customers to players using the game platform Steam. And it will log everything you do in your computer, so the next time you go to Facebook, Gmail, etc. your passwords will be sent to the cybercriminals."

It doesn't stop there, as Ainslot.L searches for "other Trojans" and bot competitors like "Zeus, DarkComet, etc" and then "removes other bots from infected systems. It eliminates all competition, leaving the computer at its mercy." The anti-malware laboratory of PandaLabs said it's like "in the film Highlander: 'In the end there can be only one'."

Stay alert as this phishing fake order confirmation and "Highlander" Ainslot.L bot will surely move beyond allegedly coming from the CULT store.

As for the personal "bot shopping with my wife" lessons Corrons learned?

1. Your wife is always right, and in case she tells you something you don't have to ask about it anymore.

2. Remember everything you buy online to avoid being fooled.

I can almost hear his wife's, "Humph" even if she only thought "I told you so" instead of saying it. Visit PandaLabs blog or Panda Security to read more about this vicious "Highlander" bot.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.