Banking Trojans III
In previous posts Banking Trojans I and Banking Trojans II we did an overview of the main banker trojan families and their simple characteristics (files and registry entries). Let's dig a little deeper now and take a look at their infection and hiding techniques.
Banbra (Dadobra, Nabload)
* Static process
* Process injected into other process
* Encrypted / packed file
Bancos
* Static process
* Process injected into other process
* Encrypted / packed file
Bankdiv (Banker.BWB)
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
* Substitution of Operating System files
Bankolimb (NetHell, Limbo)
* Static process
* Process injected into other process
* Encrypted / packed file
Banpatch
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
Briz
* Static process
* Process injected into other process
* Encrypted / packed file
Cimuz (Bzud, Metafisher, Abwiz, Agent DQ)
* Static process
* Process injected into other process
* Encrypted / packed file
Dumador (Dumarin, Dumaru)
* Static process
* Process injected into other process
* Encrypted / packed file
Goldun (Haxdoor, Nuclear grabber)
* Static process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
Nuklus (Apophis)
* Static process
* Process injected into other process
* Encrypted / packed file
PowerGrabber
* Static process
* Process injected into other process
* Encrypted / packed file
SilentBanker
* Static process
* Process injected into other process
* Encrypted / packed file
Sinowal (Wsnpoem, Anserin)
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Polymorphic file
* Encrypted / packed file
* File hidden by rootkit
Snatch (Gozi)
* Static process
* Process injected into other process
* Encrypted / packed file
Spyforms
* Static process
* Process injected into other process
* Encrypted / packed file
Torpig (Xorpix, Mebroot)
* Static process
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
* MBR rootkit
BIG PROBLEM!
as I am getting the active scan set up on my pc an alert flashed my screen- from my on access scanner
"A VIRUS WAS FOUND!
http://acs.pandasoftware.com/activescan/cabs/as2guiie.cab\pskavs.dll Win32:CTX Virus/Worm
080606-0, 06-06-2008"
It tells me to abort the connection. Now I can't get this pc scanned as planned. What Now?
This is a known false-positive from your installed antivirus scanner. Your scanner is detecting one of our signatures which is located in one of the engine libraries instead of our signature database. Try running it again and choose “ignore” or “exclude” from your scanner options. We’ll migrate this signature to the database in the next release.
I can’t find the recent rootkit test on AV-
Test.org
please post a link
thanks
Jon the link is:
http://www.av-test.org/index.php?lang=0&menue=1&sub=Papers
Look for “Anti-Stealth Fighters: Testing for Rootkit Detection and Removal”, Virus Bulletin 04/2008.