New Mebroot/Sinowal/MBR/Torpig variant in the wild – virtually undetected and more dangerous than ever

Mebroot/Sinowal/MBR/Torpig has been active since end of 2007 and is one of the most sophisticated and also one of the most successul trojans of our time (see Wikipedia – http://en.wikipedia.org/wiki/Mebroot).

Since then, Mebroot underwent quite a few major advancements, and we looked at Mebroot in very much detail before(http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-%e2%80%93-better-than-ever/) analyzing the techniques it uses and also the flaws of the current protection systems as well as how TrustDefender provides a protection. 

However now since March 26, 2009 we are seeing a completely new variant with major “improvements” or “enhancements” and a clear focus on being undetected. It defeats all detection tools and methods in place today - (e.g. GMER has provided a technical analysis with a detection/removal tool here. However it is useless with this new variant). Your current Antivirus Solutions are almost all ineffective as Christian Donner wrote in his blog how he got infected even though he runs an on-access scanner with full scans from 3 different well known AV vendors. His special Linux boot CD with Kaspersky, Avira Antivir and Bitdefender didn’t detect anything! (http://cdonner.com/mebroot-root-kit-infection.htm)

We were analyzing one of the many drive-by-downloads of this new mebroot variant which has policies for 298 financial institutions, 44 of which are here in Australia and include 1st, 2nd and even the 3rd tier financial institutions as well as pretty much all backend banking service providers.

Technical Details

 

Infection

As we know, Mebroot is mainly deployed through a drivembr_infection-by-download when you visite “everyday” websites. We also know that the perpetrators behind Mebroot have lots of compromized FTP accounts available to compromize innocent websites. However being very professional and focused on staying under the radar, they only use as much as they require to achieve their success rate.

The sample we looked at, was delivered via an exploit to the recent Adobe Vulnerability (that was unfixed for almost 4 week!).

As you can see in the screenshot, there is a mysterious 20.tmp process running. This process will infect the Master-Boot-Record and trigger an automatic reboot of the machine after approx 10 minutes in our case.

 

Infected System

Mebroot will install Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it:

  • will steal login and other personal or confidential details from banking websites
  • can inject any HTML content into any website (websites can be encrypted with or without EV-SSL.) without detection
  • can capture CAPCHA and compromize virtual keyboards
  • can use the information in real-time to defeat One-Time-Passwords
  • has configuration files for many banking sites so that it knows exactly what to look out for
  • is incredibly hard to detect
  • works system-wide and therefore any browser is affected. (Yes, you heard right. Firefox and Chrome users are also affected)

So how does it work?

Well, we are still reverse-engineering and analyzing the trojan in detail, however after infecting the Master-Boot-Record, it employs a complicated mechanism to injects itself into the ATAPI Harddrive Driver to then inject core windows components (svchost.exe and services.exe) which then will hook/redirect functions for all processes that are used for internet transmissions. What’s important is that your webbrowser (Internet Explorer, Firefox, Opera, Chrome, …) is infected and they don’t even know it!

usermode_hooks1

 

E.g. the HttpOpenRequest and HttpSendRequest are used whenever Internet Data is transmitted (regardless whether it is encrypted or not!)

So what does Mebroot/MBR/Torpig do?

As said before, it is after your login credentials and personal information and the ability to manipulate this data either in real-time or use at a later date. It will either simply steal your data directly as it is typed or inject HTML code into the banking website to gather additional information.

1) Steal authentication data (including defeating virtual keyboards)

The stolen data is stored locally in a file (c:windowstemprg4sfay in our case) and will then transfer this file to the malicious hosts.

Here is an example with Firefox and a well-known banking site

 

 keylogging_1

Another example with a banking site that is using a virtual keyboard (note that Torpig easily gets the password from the virtual keyboard):

 

 keylogging_2_vk

2) Inject HTML Code into the banking website to steal additional data

See below two examples of banking services where additional information is requested. However as these forms appear after the customer logged in and come from an apparent trusted site, the success rates for the perpetrators of this trojan are much higher and more effective than ever before.

 

 htmlinjection2

and from another well-known banking provider

 

htmlinjection11

 

How does this Trojan work?

As mentioned above, we are still reverse-engineering this Trojan to gather all the details, however as the master-boot-record is infected, this Trojan injects itsself into various kernel drivers (atapi.sys in this case) . However this injection is only done in memory and no malicious components are ever written to the harddrive. This is why detection from Antivirus Engines is so low.

However as Torpig wants to steal data from your web browser process, it will hook key functions of the webbrowser process by patching the Import Address Table (IAT).

How can this Trojan be detected?

Well, as you would have guessed, Antivirus detection is almost zero for this new variant. This applies to the dropper/installer as well as to the payload. In fact I haven’t seen a single Antivirus Engine so far that can detect that Torpig is active.

You can detect this trojan as follows (no guarantee as this may change frequently)

  • did your computer restart without warning or bluescreen?
  • open the command prompt (cmd.exe) and go to the c:WINDOWSTEMP directory. Now execute “notepad rg4sfay” and if infected, you’ll see the stolen content. Plese note that this file is hidden and won’t be shown in the windows explorer.
  • download Process Explorer from Sysinternals and click on “services.exe” and check for open file handles (in the listbox below) for
    • any file references to WINDOWSTEMP…
    • file reference to !win$

However the best way to detect whether you are infected is to download TrustDefender and check the computer manually. As TrustDefender’s Forensics Engine will check the IAT of your browser processes, TrustDefender can easily detect Mebroot/Torpig and also protect you from it.

 The trojan can be removed by using the Windows Recovery Console as described e.g. here: http://www.precisesecurity.com/threats/bootmebroot/

How does TrustDefender protect you from Mebroot?

Naturally, TrustDefender provides an automatic protection against Mebroot for all customers of financial institutions that are part of our GAP Protection and all Financial Institutions part of the Financial Trust Network.

TrustDefender’s Forensics Engine will pick up the “hooked” windows functions in the web browser’s Process and will enable a safe&secure internet transaction by disabling the trojan for the current transaction.

forensics_engine2

As long as you see the TrustDefender GAP Window and the Safe&Secure Mode is activated, you are safe.

gapwindow

 

Additional Information / Is your Financial Institution affected?

For more detailed information and to find out whether your financial institution is affected, please feel free to contact us via email at info@trustdefender.com or directly via phone.

16 thoughts on “New Mebroot/Sinowal/MBR/Torpig variant in the wild – virtually undetected and more dangerous than ever”

  1. In Avira’s defense, I have to say that I did get an alert from Antivir about a file 20[1].tmp in the Temporary Internet Files folder. At that point, though, it seems that it had already executed, because I selected “deny access” from the options in the Avira popup, but that did not prevent the infection.
    Nice article!

  2. I was going insane looking for more information about this one. I have all of the symptoms described here, right down to the C:WINDOWSTemprg4sfay file and its handle in services.exe, the reference to !win$, as well as an unexplained shutdown. On top of that, it seems like my laptop’s fan stopped running! I saw another forum thread where this was mentioned; could a rootkit cause a fan to stop working?

    Anyway, thanks for the info.

  3. Can a rootkit or any software stop your fan? If your fan is controlable by software or BIOS, I’d expect that a well written attack could stop or change it in some way (within the hardware capabilities though, more likely force it into slowest/quiet mode which could potentially overheat your system if you needed it to run faster/cooler at that time).

    Can it wipe your drive’s data beyond recover? Look up DriveLock and other ATA security. If software were designed to access the “secure erase” mode and try default passwords/access, then I’d expect that to be possible too unless some physical limitation prevented it.

  4. This is a nasty one, only Process Explorer from Microsoft shows handles pointing to rg4sfay, ydf8dk. NO TRACES in Task Manager, Msconfig, Services.msc and registry !!!!!!
    BUT (good news)
    Solution is very easy!!
    1) disable system restore (just in case)
    2) clean up c:/windows/prefetch (just in case again)
    3) go to http://www2.gmer.net/mbr/ , download the .exe at bottom of page and run it 3 times as described FROM SAFE MODE of course.
    4) restart and enable system restore.

    now you can delete the 2 files and process explorer shows nothing suspicious.
    As a bonus, after deleting prefetch my pc starts using 50% time as before!
    Found the mbr solution in an Italian forum
    http://www.hwupgrade.it/forum/showthread.php?t=1715546
    looks like in Italy there are many similar cases.
    Cheers
    Mario

    1. Hi mario, you are right. GMER has updated their detection and removal tool on April 15. Many other security vendors did the same and after they analyzed the trojan, they provide now updated protection tools… However just a word of caution: these updated tools will only work up until Mebroot changes again and then they are useless again… So far, TrustDefender has always picked up an infection based on our Forensics Engine :-)

  5. Hi admin, sorry if I mentioned your “competitors” here, but their fix is so easy and effective that I thought could be useful to many like me that have been infected because they do not use (yet) your products. When you see all your passwords and mail stored in a hidden file, well, you are scared and desperate, and any solution, even temporary, is welcome.
    Having said that, I have to thank you because 1) your article is very informative and 2) you were the first to point out that the trojan comes through acrobat reader files: just update acrobat reader and you are ok (for now).
    I also mentioned your article as a valuable source to many collegues and on other security forums, and I hope this will help you forgive me.
    Keep up the good work!

    1. Hi mario, no worries. This blog is for technical information and any info that helps people is very much appreciated. So please do post this kind of info. Your info is very much appreciated. Thanks

  6. And I’ve got infected with a newer version of this virus and so far no tool has been able to detect it! I know it’s there, however, as I got informed by my network administrator that something is sending requests from my machine. I’ve tried everything and all detection tools fail. Any ideas?

  7. XP? Did you fixmbr the MBR?

    I, too, got a report from my IPs abuse desk. I found all of the symptoms listed above on one of my XP machines (had an unexplained reboot, rg4sfay existed and open by services.exe).

    I did the fixmbr routine and the cited signs are gone. But I just got another abuse email from my ISP. I can’t reach a human there to find out why/when this latest warning was triggered.

    Approaching max paranoia and running out of ideas how to proceed.

  8. Can someone explain if Mebroot will (or will not) run correctly under Windows 98? If Mebroot absolutely requires the presence of atapi.sys, svchost.exe or services.exe in order to function, then I can’t see how it can function on a win-98 system.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>