Banking Malware (BankPatch.C) shows that the bad guys are extremely innovative

We often get into situations where people thing that the “bad guys” are script kiddies that do this for fun. Every malware analyst will tell you that the innovation on the wrong side of the fence is astonishing…

Anyway, lets have a look at one of the latest examples of such innovation: Bankpatch.C.

Bankpatch is a fairly “old” trojan which first appeared beginning of 2007. However Bankpatch.C which was first released in September 2008 through to February 2009 has some major enhancements.

Generally Bankpatch.C is a banking trojan that is designed to compromise online banking transactions. It waits silently on the consumer or corporate computer up until it finds an internet request it is interested in (a targeted website it has policies for) and then comes to life. It then has the ability to steal your login details, but also to dynamically inject HTML into the existing login form to capture whatever information they require. Alarmingly HTML can be injected into a secured SSL website without the computer security or the website owner becoming aware that it has been compromised.

This is also one of the “real-time” trojans that have the potential to act in real-time to compromize One-Time-Passwords (OTP) as intercept the OTP before it is used to authenticate the account holder as they access the banking website.

Another avenue is to deploying targeted payloads depending on the webservices used. The most widely payload is a BHO (Browser Helper Object) called Infostealer.Nadebanker.

Symantec has written about Bankpatch here and it received a bit of press. Michael Hale Ligh has a very good technical writeup with standalone detection tools here.

From a technical point, the most interesting part of Bankpatch.C is the fact that it uses an interesting approach to “rootkit” the machine, i.e. to stay undetected. After the initial infection, Bankpatch.C will “patch” (change) three core windows files and will inject its own malicious code into these system files. Therefore Bankpatch.C is not even present on the system as an individual file/process/software.

So how does Bankpatch accomplish this?

First of all, Bankpatch will disable the Windows File Protection (WFP) that is designed by Microsoft to make sure that no-one changes core windows files. Good to know that WFP can easily be disabled!!!

After this is done, Bankpatch will modify the following three core windows files through Position Independent Code (PIC)

  • kernel32.dll
  • wininet.dll
  • powrprof.dll

Through patching these files, Bankpatch.C has now full control over

  • any file that is created, opened, written or closed (through patching kernel32.dll)
  • any internet connection that is opened, any webtraffic that comes in or leaves the computer, may it be encrypted or not (through patching wininet.dll)
  • with these functions, the trojan has pretty much full control over the machine!

Antivirus Detections seems to be very low and one problem that we constantly face is that once the system is infected, virtually no Antivirus Engine can detect that the system is compromized. There is no malicious software running on the system, no process, no nothing… However nobody seems to notice that core windows functions are not how they should be!!!

TrustDefender will detect BankPatch.C in two ways (defense-in-depth):

  1. through our whitelisting approach, TrustDefender detects that the core system libraries are NOT the legitimate ones
  2. through our forensics analysis, TrustDefender detects that from a forensics point-of-view, these three files are suspicious.

In Summary, BankPatch.C is a testimonial of some excellence from the bad guys and it further indicates what we all know: They are getting smarter and smarter.

The lesson to be learnt is that we (the good guys) need to be smarter and smarter as well and we need more innovative approaches like our kernel forensics engine.

0 thoughts on “Banking Malware (BankPatch.C) shows that the bad guys are extremely innovative”

  1. This proves yet again that we cannot win the technical arms race without the benefit of an offensive legal strategy. IT security firms need to partner with innovative law firms who know how to convert technical data into effective legal actions against the bad guys, their assets and their enablers. Every good defense needs a good offense…for too long we’ve relied solely on defense to win the game. It can’t carry the load alone. The best technology firms understand that.

  2. I am getting really fed up of spyware and stuff like viruses. There doesn’t seem to be a regulatory body that can find these people and prosecute them for the waste of man-years. The site I link to is a good starter for free internet security to defend yourself with. Basically – Firefox, a free virus checker, Spybot and Spywareblaster coupled with a good firewall policy will stop most rubbish before you notice it on your machine. Stopping attacks on a website is where I would need help.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>