In-depth look at a Silentbanker variant (Silentbanker.B)

Overview

We were looking last week at a compromised computer that was infected with the Silentbanker.B variant and we could recover all relevant files including the installer.
Initially the Silentbanker Installer was executed as a drive-by-download and as the Antivirus Engine had no signatures for it, it could install itself.
After that, the Silentbanker Trojan will use a number of techniques to steal confidential information:

  • It downloads encrypted configuration files from the internet to stay up-to-date with the policies
  • It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …
  • It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.
  • It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.

However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.

TrustDefender customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.

Technical Details
Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.

Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever :-)

If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.

     

 

 

 

Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C server located in Russia.

 

What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).

 

 

 

 

Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by german banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.

The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,

Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see http://www.virustotal.com/analisis/9e1c5e1c068fd0de61133594ca404519)

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>