As we received a number of requests for an in-depth analysis of the new Mebroot variant mentioned in the previous article, we have this report finally available.
If you are interested, please drop us an email to labs@trustdefender.com.
All posts by abaumhof
The nastiest ebanking trojan mebroot just got nastier
As if the “old” mebroot trojan isn’t bad enough, the bad guys have released a new version of the highly successful e-banking trojan. And the bad news is that they changed a lot! Someone must have been busy over the last couple of months.
Basically the new version of Mebroot performs the same tasks and does the same badness as the previous versions that we have covered quite substantially on this blog before (see e.g. here and here).
However the big difference is that it is hiding in the system much much better as before to make sure
- it can infect your system without you knowing
- stay there as long as possible
To reiterate: Everything that was written how to detect mebroot is invalid and doesn’t apply anymore… No rg4sfay file in Windowstemp anymore, no reference to !win$… No detection with GMER’s special mbr.exe program and GMER itself only lists a couple of detached threads… Nothing really suspicious…
This new version also has the most exhaustive list of banking and broking websites we have seen – with virtually all major financial institutions in Australia, UK, USA, Spain, Italy, Germany and more. But also more and more non-bank websites are part of this list, like partycashier.com (the online payment from a popular poker site) and government sites like pay.gov (electronic payments to the US Govt). To find out whether your financial institution is affected, please do get in touch with us. (send an email to info@trustdefender.com)
Technical Details:
From a technical point of view, lots has changed in this version, however the core is still the same and Mebroot will inject itsself into services.exe which then holds also the configuration file and is in control of the updating process to the C&C server.
However everything is now encrypted. No plaintext files anymore with the captured details, no more plaintext internet requests. Everything is encrypted and most importantly all communication from the C&C server is encrypted as well. This effectively makes it impossible to sinkhole a mebroot C&C server. The mebroot trojan would immediately see that the connection is not from a genuine mebroot C&C server… Pretty clever…
In our case, two files were created in the c:WINDOWSTEMP folder, namely $$yt7.$$ and $$$dq3e. Both files are not visible in a directory listing and they hold the encrypted version of the stolen data.
The code injection into the browser processes is done as before through IAT hooks that TrustDefender’s Forensics Engine will pick up and the ‘Safe&Secure Mode’ will automatically protect the user by isolating the webbrowser’s process.
So again, all TrustDefender users and all financial institutions and enterprises who are employing the TrustDefender Enterprise Server are fully protected against this attack.
Analysis of stolen data through Torpig (deployed through Mebroot/MBR/Sinowal)
We have posted some technical analysis to the mebroot/MBR/Sinowal trojan lately and while we at TrustDefender Labs focus quite heavily on the analysis of the trojans and infection vectors itsself on the client side, Researchers at the University of California looked at the data they received on the server side. This compliments our research quite nicely as it provides hard facts how successful those attacks are and how much data the bad guys actually receive.
The research was done by Researchers at the Security Group, Department of Computer Science at University of California, Santa Barbara released a very interesting paper “Your botnet is my Botnet: Analysis of a Botnet Takeover”. (see http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html)
In this paper the security researchers “infiltrated” the Torpig C&C control network for a period of 10 days and their results are nothing less but astonishing.
In the 10 days, the sinkholed C&C Server collected almost 70GB of data. This data included stolen credentials from 52,540 different infected machines and they sent some 297,962 unique credentials (username/password), credentials of 8,310 bank accounts at 410 different financial institutions. Furthermore the data included more than 11 million HTTP(S) Form Data, 1,258,862 email accounts, 1,235,122 windows password, …
Key quotes by the original text are:
The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).
The most common cards include Visa (1,056), Master-
Card (447), American Express (81), Maestro (36), and Discover
(24).
While 86% of the victims contributed only a single card number,
others offered a few more. Of particular interest is the case of a
single victim from whom 30 credit card numbers were extracted.
Upon manual examination, we discovered that the victim was an
agent for an at-home, distributed call center. It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center’s central database for order processing.
And very interestingly they also looked at the financial implications of this
Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. A report by Symantec [37] indicated (loose) ranges of prices for common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000.
If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M.
Also, a Torpig server was seized in 2008, resulting
in the recovery of 250,000 stolen credit and debit cards and 300,000 online bank account login credentials [31].
For more on the botnet hijack, check out UC Santa Barbara’s Torpig project page. Also features on Slashdot.