After a few reports in the press around a new Malware that specifically targets Firefox users, we thought we have a more detailed look at this piece of malware.

In general, it only targets Firefox users. This fact will disturb many users that “escaped” Internet Explorer and switched over to Firefox for security reasons. It is long known that Firefox has with the XUL Interface and the Plugins a mechanism that is very similar to Internet Explorer’s BHO (Browser Helper Objects). In fact, the browser plugin is essentially just a DLL that can contain whatever content – including malicious one.

When we installed this component, the first interesting thing was that it will install itself silently without any user interaction or user notification. This is a bit disturbing as normally the Firefox User Design is quite well-thought through.

What this malware then does is as follows:

• It has a pre-compiled list of hostnames that it watches for. If the user goes to any of these websites, the malware will load the malicious DLL and inject HTML into the current Firefox page.
• This additional code will then steal any information they want, including username and passwords and other identity related information.
• The sample we analyzed affected 103 financial institutions worldwide, including 10 financial institutions in Australia.

Technical Details

After the malware is installed, it is actually visible as a plugin, however it has the innocent name “Basic Example Plugin for Mozilla”

It hooks into the XUL engine and “watches” the internet traffic for the URL’s it is interested and injects then HTML code.

Overall this malware is not anywhere as sophisticated as the top-class trojans like silentbanker, Sinowal, …, however it gets the job done. A few things are worth mentioning as they are quite unique:

• The malicious component (DLL) will only be loaded if the user goes to any of the URL’s the malware watches. This means that e.g. when you start Firefox, the system and all components are fine and the malware actually is not active in memory.
  
• Only when the user enters one of the affected financial institutions website, the malicious DLL is loaded.
  

How to check whether you are infected?

You can check whether you are infected by openin your Firefox Browser and clickin on the Tools-Menu and select “Add-ons”. Then select the last tab called “Plugins” and make sure that you do not have a plugin called “Basic Example Plugin for Mozilla – npbasic”.

If you see this, you can disable the plugin by clicking on “disable”.

All TrustDefender users are protected by default from this attack.

Overview

We were looking last week at a compromised computer that was infected with the Silentbanker.B variant and we could recover all relevant files including the installer.
Initially the Silentbanker Installer was executed as a drive-by-download and as the Antivirus Engine had no signatures for it, it could install itself.
After that, the Silentbanker Trojan will use a number of techniques to steal confidential information:

• It downloads encrypted configuration files from the internet to stay up-to-date with the policies
• It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …
• It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.
• It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.

However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.

TrustDefender customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.

Technical Details
Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.

Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever

If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.

     

 

 

 

Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C server located in Russia.

 

What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).

 

 

 

 

Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by german banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.

The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,

Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see http://www.virustotal.com/analisis/9e1c5e1c068fd0de61133594ca404519)

 

 

 

We were analyzing an interesting piece of malware today which is a recent mutation of the yaludle/silentbanker trojan with rootkit capabilities.

This rootkit is typically installed via drive-by downloads.

It targets financial institutions worldwide (with a focus on US, Germany, Spain, Australia) and as the silentbanker versions before, it can successfully cicrumvent Two-Factor-Authentication, which is why quite a few banks with 2FA solutions are targeted.

The trojan operates in two modes:

1. completely silent (this is typically for banks with just username/password) and just “uploads” the collected information in real-time in an encrypted way to a malicious host
2. it introduces dynamically (in real-time) malicious HTML elements into the banks website to collect additional information. This malicious HTML elements appear within the bank’s site, so nobody (not even security experts) can spot anything suspicious.

As we would have expected, virtually no Antivirus Engines were detecting this Rootkit (1/36, 2.78%, http://www.virustotal.com/analisis/756098da62febc1ae372f947e2b62184)

This is the original citibank site when someone tries to login with a wrong username/password (so no yaludle/silentbanker here) (click the image for bigger picture)

 

This is the citibank site in exactly the same scenario, this time yaludle/silentbanker is active. (Note the yellow padlock and the correct URL!!!) (click the image for bigger picture)

How to detect this Rootkit

This rootkit creates the following registry key and thus can be detected if this key is present

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32
wave1 = "<RANDOM>1.CPX"

Also the <RANDOM>1.CPX file is present in the C:WINDOWSSYSTEMS32 directory.

TrustDefender

All TrustDefender users (most notably all of our enterprise customers) are protected as TrustDefender’s Secure Lockdown will make sure that no personal information will leave the computer as it will only allow internet requests to the banks website.

Also all TrustDefender users are also protected for all banks who are part of our Financial Trust Network (see http://www.trustdefender.com/lang-en/support-portal/knowledge-base/knowledge-base-article?id=50120000000DB0q)

more information

please contact us at support@trustdefender.com if you want to know if your financial institution is affected or you need more information.

When we recently got hold of a new “trick” to load a driver bypassing HIPS and security programs that block SYS drivers when they are loaded, we thought we give it a go…

While there is a bit of discussion whether this is actually a new mutation or the famous rustock.b rootkit, it looks more like a zlob variant.

Whatever the nomenclature, this piece of malware is very sophisticated in the way it infects your system and also in the way it works.

First of all, it bypasses HIPS and other security programs by using a little known trick that exploits loose security settings with a system wide cache of internal windows objects (KnownDlls). This enables the driver to be installed silently.

Secondly, this rootkit resides solely in kernel space and has no user mode component at all. It hooks into your google search and while you think you get to the search result, this rootkit controls the session and gives you content that you definitely don’t want to see… Pretty scary stuff, as nobody would realize that the google search page is infected!!!

But see yourself… Simply click on the screenshot below or click here to start the video.

P.S. you’ll also see how TrustDefender’s Kernel Forensics Engine will pick this up and how financial institutions can protect their customers _before_ anything bad happens…

We at TrustDefender Labs have seen a quite dramatic increase in so-called “Rogue Antivirus Enines“. These have been around for several years, but the sophistication to trick users to install them are mind-blowing…

We looked at a wsnpoem malware that served as a dropper for the adware called “XP Security Center”. Everything looks really authentic and even though the system was clean before, the adware will physically create random files and pretend they are malware… Then they harrass you to buy the XP Security center for $49.95 a year to get rid of them…

The lesson to be learned is that it gets harder and harder to distinguish legitimate and genuine software from fake and rogue software.

Have a look at a screencapture yourself… (click on the image to start the streaming video)

Back in January 2008, we looked at how the TrustDefender Kernel Forensics Engine can detect the Silentbanker Trojan and the Master Boot Record (MBR) virus.

Since then, many new variants of te same rootkits have been released and we thought we have a more detailed look into a new variant of the MBR Rootkit (Torpig)

Alarmingly we found that the wider Antirivus products do not pick up this variant (and possibly also earlier ones) more or less at all (!)

Almost not a single Antivirus Engine was detected the MBR/Torpig-Dropper when we got a sample. When we checked it first, 2 out of 33 (6%) of the Antivirus Engines detected some suspicious behavior (see Attachment 1).

The next day, only 11 out of 33 (33%) detected the threat with some of the big names still not protecting their customers like CA, McAfee, Sophos or Symantec. (see Attachment 2).”
This variant of the MBR/Torpig trojan is installed as a drive-by download which is triggered by some highly obscusfated Javascript Code. So, innocent users won’t even notice any download or installation, especially If they haven’t kept their Windows up-to-date. Even for those who are up-to-date or if they have accidently allowed the program to run, it’s game over.

 
Attachment 1 – Virustotal Result

 
Attachment 2 – Virustotal result next day

Attachment 3 – TrustDefender Kernel Forensics Dialog