Popular brazilian websites under attack. Again.

This time the target was Vivo (http://www.vivo.com.br) and the attack was reported by Miguel Di Ciurcio Filho, a security researcher from Institute of Computing, Campinas State University – Unicamp (site, personal).

In short:

• \WINDOWS\system32\drivers\etc\hosts changed to redirect traffic to popular brazilian banks:

  69.162.114.180 santander.com.br
  69.162.114.180 www.santander.com.br
  69.162.114.181 itau.com.br
  69.162.114.181 www.itau.com.br
  69.162.114.181 www.itau.com
  69.162.114.181 itau.com
  69.162.114.181 itaupersonnalite.com.br
  69.162.114.181 www.itaupersonnalite.com.br
  69.162.114.182 www.bradesco.com.br
  69.162.114.182 bradesco.com.br
  69.162.114.182 www.bradesco.com
  69.162.114.182 bradesco.com
  69.162.114.182 www.bradescoempresa.com.br
  69.162.114.182 bradescoempresa.com.br
  69.162.114.182 www.bradescoprime.com.br
  69.162.114.182 bradescoprime.com.br
  69.162.114.182 bradescocartoes.com.br
  69.162.114.182 www.bradescocartoes.com.br
  69.162.114.179 www.nossacaixa.com.br
  69.162.114.179 nossacaixa.com.br

• Java applet (.JAR) disguised as JPEG file (MD5: 3d4756a74d76d7b3004604c6b30e23f5)
• Access to server files (/etc/hosts, /etc/passwd) via specially crafted URLs. Part of the problem.
• Virustotal analysis: logo_top.jpg, laa.class
  

Simple but effective attack. According to a script in another vulnerable website used in this attack thousands of users were infected.