Silentbanker reloaded

indepthreport-availableIt’s been a while since we last looked at and analysed a Silentbanker Trojan in October 2008 and we have written about it on our blog at http://www.trustdefender.com/blog for some time.

The last couple of weeks/months have been quiet for Silentbanker, but now Silentbanker is back in action, very alive and kicking. We now have another detailed look at these new variants, how they now operate and how they have continued to evolve from last year.

The interesting fact is that it hasn’t evolved that much and they haven’t included too many new features. This is partly because the Silentbanker Trojan has already an impressive list of features, including HTTP(S) form sniffing, network tracing, session hijacking and html web injection capabilities.

The Silentbanker Trojan will only affect Internet Explorer and not any other Browsers as it is implemented as a Browser-Helper-Object (BHO).

However compared to the new top dogs who have stepped up the pace and gained extensive publicity such as Zeus, Mebroot/Torpig or Clampi, it seems nowadays the Silentbanker Trojan is a fairly average sophisticated Trojan, as Silentbanker only employs basic rootkit techniques, uses no encryption for upload of the stolen data and has a fairly basic C&C infrastructure. This – however – doesn’t mean that Silentbanker is not up to the task. It just shows how much innovation the bad guys have shown for the other Trojans.

But as the Silentbanker Trojan is completely silent and won’t slow down the computer at all, most users will not find any suspicious behaviour and we assume that it was very effective especially in its first couple of weeks of operation.

In conclusion, it becomes pretty obvious that the Silentbanker Trojan has fallen behind the likes of Mebroot/Torpig, Clampi or Zeus in terms of sophistication. While this may be perceived as good news, the bad news is that this means that the employed techniques still work and on top of that that the creators will for sure enhance the Silentbanker Trojan in the future. Watch this space…

Installation

We analysed the Silentbanker dropper with MD5 of e1e2b3389dd2e020ae2783b8c6c80a08 which had a Virustotal detection of 12/41, 29.27% (http://www.virustotal.com/analisis/112946f35cf76ed853b44aeaf837cc5c9ad15722e46637e3af1f82b4b122f41b-1252598004)

The inner workings haven’t changed too much from the Silentbanker Trojans we analysed around the same time last year in October 2008.
The dropper will install a Brower-Helper-Object (BHO) and register its payload dll into the Internet Explorer. The payload was in our case mscorewr.dll (in c:windowssystem32 folder) with a Virustotal detection of 9/41, 21.95% (http://www.virustotal.com/analisis/7b062ddb9dbc50cea53b98df892d4ceac003ece8551976085bd7ff57d5a5c664-1252582306).

The Silentbanker Trojan comes with a hard-coded C&C server which in our case was businessrest.cn (190.183.60.82).

Usermode hooks

Once the Silentbanker Trojan is active in memory (basically when the Internet Explorer starts), it will setup export hooks, so that it gets access to all transmitted internet traffic and to much more information.
Now, all sophisticated Trojans will hook core windows functions to compromise the system. Our Silentbanker Trojan hooked (or redirected) among others the following core windows functions: (full details available in the in-depth report)

  • HttpOpenRequestA/W
  • HttpSendRequestA/W
  • InternetConnectW
  • InternetReadFile
  • InternetReadFileExA/W
  • InternetWriteFile
  • CommitUrlCacheEntryA/W

As you can see, it basically hooks all Internet related functions to get access to the Internet Traffic (even though it might be encrypted with SSL or EV-SSL!)

These usermode hooks enable the Trojan to do its dirty work.

HTML Web injection

The Silentbanker Trojan has also the capability to inject any arbitrary HTML code into a website and it makes use of this mainly to get additional information from the user. The disturbing fact is however that this is also possible with HTTPS together with EV-SSL certificates. This way, the website looks legitimate from all angles. The URL is correct, the SSL certificate is fine and the green bar is shown. The reason is that the website actually comes from the legitimate site; however the Silentbanker Trojan will locally inject its malicious HTML code to the site. The code depends for each financial institution and is part of the configuration file.

A few examples are:

winject1

winject2

How to detect the Silentbanker Trojan

As the Silentbanker Trojan is a Browser-Helper-Object (BHO), you’ll see it appearing in the “Manage Add-ons” option of the Internet Explorer (From the Menu, choose “Tools” and then “Manage Add-ons”).
In our case the Trojan was called “mscorewr” and pretended to be a “Macrovision” component.

How TrustDefender protects you

As you would expect, TrustDefender protects you against Silentbanker from the very first second. TrustDefender employs a defence-in-depth strategy, and we are happy to say that every single component alone will protect you against Silentbanker.

  • Malicious BHO
    TrustDefender will automatically protect you from malicious Browser-Helper-Objects and makes sure that those components cannot penetrate the current session
  • Usermode Hooks
    As described before, this is how Silentbanker will get access to all its information. TrustDefender’s Forensics Analysis will pick up these hooks and disables these hooks for the current session
  • Secure Lockdown
    As Silentbanker works in realtime and will send the stolen credentials to its C&C server at the time of login, TrustDefender will automatically block this request as the Secure Lockdown will only allow internet requests that are associated with the current webservice (e.g. online bank).

Further Information

Further information can be obtained from the team at TrustDefender Labs. Just email us at labs@trustdefender.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>