MetaFisher - a Trojan discovered over a month ago - is still wreaking havoc against unsuspecting users. The Trojan, also knows as Spy-Agent, installs itself when a user visits a malicious Web page by taking advantage of the Windows Metafile vulnerability addressed by Microsoft in their bulletin, MS06-001. Once active the Trojan downloads files that assimilate the affected computer into a botnet.
Ken Dunham of iDefense provided screenshots (seen below) of the attacker's management interface for the botnet. The screenshots reveal that so far over 552,000 systems have become part of the botnet and that the majority are computers located in Brazil and the United States. The interface also allows attackers to query the botnet to find specific bank account information.
Dunham said that what makes MetaFisher more dangerous than other phishing bots is its ability to use HTML injection techniques to gather sensitive financial information after a person authenticates to a targeted bank acount.
"MetaFisher has been spreading, under the radar, for months, compromising hundreds of thousands if not millions of accounts for financial fraud," said Dunham. "\[It's\] the most sophisticated bot to date, targeting financials in Spain, the United Kingdom, and Germany."
Screen 1: Bot propagation tracking (click the image for a larger view):
Screen 2: Options screen, used for querying bots for information (click the image for a larger view):