Archive

Archive for April, 2008

Banking Trojans II

April 21st, 2008 Comments off

In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.

 

Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
    %SystemRoot%\appwiz.dll
    %SystemRoot%\ipv6mmo??.dll

We have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
    HKEY_LOCAL_MACHINE\Software\Helper
Others create the following one:
    HKEY_LOCAL_MACHINE\Software\MRSoft

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
    %SystemRoot%\ieschedule.exe
    %SystemRoot%\dsrss.exe
    %SystemRoot%\ieserver.exe
    %SystemRoot%\websvr.exe
    %SystemRoot%\ieredir.exe
    %SystemRoot%\smss.exe
    %SystemRoot%\ib?.dll

Folders:
    %SystemRoot%\drv32dta
    %WindowsRoot%\websvr

Registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\InitRegKey
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:
    %SystemRoot%\IEGrabber.dll
    %SystemRoot%\CertGrabber.dll
    %SystemRoot%\FFGrabber.dll
    %SystemRoot%\IECookieKiller.dll
    %SystemRoot%\IEFaker.dll
    %SystemRoot%\IEMod.dll
    %SystemRoot%\IEScrGrabber.dll
    %SystemRoot%\IETanGrabber.dll
    %SystemRoot%\NetLocker.dll
    %SystemRoot%\ProxyMod.dll
    %SystemRoot%\PSGrabber.dll

 

BankDiv, Banker.BWB
Creates the following files:
    %SystemRoot%\xvid.dll
    %SystemRoot%\xvid.ini
    %SystemRoot%\divx.ini
    %System%\drivers\ip.sys

 

Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%\driver new_drv.sys

Spyforms
Creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    “ttool” = %WindowsRoot%\svcs.exe
    HKEY_CURRENT_USER\Software\Microsoft\InetData

BankPatch
It modifies the following system files:
    wininet.dll
    kernel32.dll

And creates the files:
    %SystemRoot%\ldshfr.old
    %SystemRoot%\mentid.dmp
    %SystemRoot%\nwkr.ini
    %SystemRoot%\nwwnt.ini

Usually targets banks from the Netherlands.

Silentbanker
Drops file in %SystemRoot% with random names, for example:
    %SystemRoot%\appmgmt14.dll
    %SystemRoot%\dbgen47.dll
    %SystemRoot%\drmsto34.dll
    %SystemRoot%\faultre66.dll
    %SystemRoot%\kbddiv55.dll
    %SystemRoot%\kbddiv79.dll
    %SystemRoot%\msisi83.dll
    %SystemRoot%\msvcp793.dll
    %SystemRoot%\msvcr25.dll
    %SystemRoot%\nweven2.dll
    %SystemRoot%\pngfil51.dll
    %SystemRoot%\pschdpr89.dll
    %SystemRoot%\versio40.dll
    %SystemRoot%\wifema85.dll
    %SystemRoot%\winstr21.dll
    %SystemRoot%\wzcsv64.dll

Creates a registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”

If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.

Categories: Malware, Rootkits Tags:

Banking Trojans I

April 18th, 2008 Comments off

Some of the most dangerous types of threats out there today are banking trojans. These malicious trojans are very specialized and focused at stealing banking credentials. They use advanced techniques to fool users, such as injecting HTML code to ask for additional confidential information such as SSN, PINs, coordinate cards, intercept Transaction Account Numbers (TAN) and replace them with bogus ones, and many more dirty tricks. There's no real solution to the problem in place and certainly no banking customer is safe from this threat today.

These are normally developed by real cyber-criminal mafias such as the Russian Business Network (RBN) and go through great lenghts in order to avoid being detected by traditional antivirus techniques. Not only do they go through QA testing prior to being released but they are also packed with advanced techniques and purpose-made packers that make signature detection less efficient. Specialized heuristics is the most interesting area of research to counter these attacks.

In order to familiarize yourselves with this new type of threats it is important to understand how they work on how they install themselves in your system. In this post I'll show you basic characteristics of some banking trojan families. Watch out for some more details in future posts.

Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Bancos
Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
    %SystemRoot%\winldra.exe
    %WindowsRoot%\netdx.dat
    %WindowsRoot%\dvpd.dll
    %Temp%\fe43e701.htm
It also creates the following registry entries:
    HKEY_CURRENT_USER\Software\SARS
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
    %SystemRoot%\ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%\wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Old value = "%SystemRoot%\userinit.exe"
    Modified = "%SystemRoot%\userinit.exe", "%SystemRoot%\ntos.exe"
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.dll
    %WindowsRoot%\Temp\$_2341234.TMP
    %WindowsRoot%\Temp\$_2341233.TMP
The "?" is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        “Shell” = "%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe"
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.


Recent variants of Torpig, Xorpig and Mebroot:

The latest trend is that it modifies the computer's Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:
    %WindowsRoot%\temp\fa56d7ec.$$$
    %WindowsRoot%\temp\bca4e2da.$$$

 

Thanks to Vicen from PandaLabs for the info.

Categories: Malware, Rootkits Tags: