Malicious Proxy Auto-Config redirection

Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user’s banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection, but only for the browser. Unfortunately, they can also be used for nefarious purposes.

When a user is infected with a malicious PAC and visits an internet banking website, the browser is usually redirected to a fake website that mimics the intended banking website. This may result in credentials being stolen – or worse, online account hijacking.

The most common infection scenario is shown in figure 1 below:


Common infection scenario

Figure 1: A common PAC infection scenario

A user is infected through a drive-by attack or by other malware and a malicious PAC file is installed onto their computer. When the victim visits a targeted website, their browser is redirected to a fake website that will record their login details. The infection is silent, the user is not notified of the change in configuration (see figure 5).

Our telemetry shows the following country domains are the most targeted by malicious PAC files:

Infection telemtery

Figure 2: Countries most targeted by malicious PACs

Analysis of the malicious PAC files show that cybercriminals target mostly banking websites in Brazil and Russia, but many attacks are not limited to just online banking entities. We have also seen malicious redirection against other payment methods, such as credit cards, e-mail providers, social networking websites, antivirus products and education institutions. Our TrojanProxy:JS/Banker.gen!A description has a detailed list of the targeted entities.

One important user mitigation comes directly through the browser. What a user would experience when browsing the real website is shown below:

browser unsecure

Figure 3: Web page without PAC redirection

browser secure

Figure 4: Web page with malicious PAC redirection

You can see above that the original website has an authenticated certificate and appears in a green address bar. The original website is also using HTTPS (secure communication).

Any PAC file installation (legit or otherwise) can be manually checked in Internet Explorer by opening the Tools menu, then selecting Internet Options, clicking the Connection tab, and selecting LAN Settings. If you see something similar to the following picture and you didn’t install a PAC file, then you might be infected. Keep in mind that the PAC file can also be installed from the internet (using a  http:// address), not only as a local file.

Pac installed

Figure 5: LAN setting showing a PAC file installed

Deleting the file entry in “Use automatic configuration script” (or disabling it) and the local file referenced can help mitigate an attack.

In order to deal with these malicious PAC files we have added several detections, such as TrojanProxy:JS/Banker.AC and TrojanProxy:JS/Banker.gen!A, and we will continue adding detections for any malicious PAC files we find in the wild. To better protect yourself against these threats, we recommend installing an up-to-date real-time security product, such as Microsoft Security Essentials.

MMPC Munich

Comments (6)

  1. hypothesis says:

    There is "Disable changing Automatic Configuration settings" both in Computer and User Configuration "Administrative TemplatesWindows ComponentsInternet Explorer" Group Policy setting

  2. Steve Shockley says:

    So, how do we configure this via Group Policy, a way that works for IE6 through IE11? I've been trying to disable this for my users for years, and the results are spotty at best.

  3. Mark Dowling says:

    I'm with Steve. It would be helpful if this advisory was supplemented by a technote explaining mitigation techniques for preventing the drive by and/or the config change and/or enforcing disablement of the PAC file. Some antimalware webscanning services require use of PAC files.

  4. Chester Winter says:

    Kaspersky wrote a very good write up about that as well

  5. Vincent Rogiest says:

    Crazy internet and redirected connections in the benelux.

  6. happy says: