Archive for April, 2008

Banking Trojans II

April 21st, 2008 Comments off

In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.


Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:

We have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
Others create the following one:

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:


Registry entry:
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:


BankDiv, Banker.BWB
Creates the following files:


Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%\driver new_drv.sys

Creates the following registry entries:
    “ttool” = %WindowsRoot%\svcs.exe

It modifies the following system files:

And creates the files:

Usually targets banks from the Netherlands.

Drops file in %SystemRoot% with random names, for example:

Creates a registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”

If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.

Categories: Malware, Rootkits Tags:

Banking Trojans I

April 18th, 2008 Comments off

Some of the most dangerous types of threats out there today are banking trojans. These malicious trojans are very specialized and focused at stealing banking credentials. They use advanced techniques to fool users, such as injecting HTML code to ask for additional confidential information such as SSN, PINs, coordinate cards, intercept Transaction Account Numbers (TAN) and replace them with bogus ones, and many more dirty tricks. There's no real solution to the problem in place and certainly no banking customer is safe from this threat today.

These are normally developed by real cyber-criminal mafias such as the Russian Business Network (RBN) and go through great lenghts in order to avoid being detected by traditional antivirus techniques. Not only do they go through QA testing prior to being released but they are also packed with advanced techniques and purpose-made packers that make signature detection less efficient. Specialized heuristics is the most interesting area of research to counter these attacks.

In order to familiarize yourselves with this new type of threats it is important to understand how they work on how they install themselves in your system. In this post I'll show you basic characteristics of some banking trojan families. Watch out for some more details in future posts.

Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
It also creates the following registry entries:
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
    %SystemRoot%\ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%\wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Old value = "%SystemRoot%\userinit.exe"
    Modified = "%SystemRoot%\userinit.exe", "%SystemRoot%\ntos.exe"
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.dll
The "?" is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
        “Shell” = "%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe"
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.

Recent variants of Torpig, Xorpig and Mebroot:

The latest trend is that it modifies the computer's Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:


Thanks to Vicen from PandaLabs for the info.

Categories: Malware, Rootkits Tags: