Sunbelt BLOG describes a virus that modifies the host file on victim machines to facilitate phishing attacks. By modifying the host file, the virus ensures that users attempting to visit sites like PayPal, Wachovia, BankOne, LloydsTSB and others are directed to a phishing server at IP address 18.104.22.168.
This kind of attack represents a departure from the typical one-off phish-by-email attacks that we normally see. Not only is it a passive attack (the phisher has to wait for you to attempt to visit one of its targets), but it also requires a much smarter web site to host the attack. When a user connects to phishing site, code on the server (PHP in this case) must look at the “host” header to determine where the user intends to go (remember, all the target financial sites are hosted on the same site). Depending on the header information, the site does an internal redirect to the appropriate sub-site.