The nastiest ebanking trojan mebroot just got nastier

As if the “old” mebroot trojan isn’t bad enough, the bad guys have released a new version of the highly successful e-banking trojan. And the bad news is that they changed a lot! Someone must have been busy over the last couple of months.

Basically the new version of Mebroot performs the same tasks and does the same badness as the previous versions that we have covered quite substantially on this blog before (see e.g. here and here).

However the big difference is that it is hiding in the system much much better as before to make sure

  1. it can infect your system without you knowing
  2. stay there as long as possible

To reiterate: Everything that was written how to detect mebroot is invalid and doesn’t apply anymore… No rg4sfay file in Windowstemp anymore, no reference to  !win$… No detection with GMER’s special mbr.exe program and GMER itself only lists a couple of detached threads… Nothing really suspicious…

This new version also has the most exhaustive list of banking and broking websites we have seen – with virtually all major financial institutions in Australia, UK, USA, Spain, Italy, Germany and more. But also more and more non-bank websites are part of this list, like partycashier.com (the online payment from a popular poker site) and government sites like pay.gov (electronic payments to the US Govt). To find out whether your financial institution is affected, please do get in touch with us. (send an email to info@trustdefender.com)

Technical Details:

From a technical point of view, lots has changed in this version, however the core is still the same and Mebroot will inject itsself into services.exe which then holds also the configuration file and is in control of the updating process to the C&C server.

However everything is now encrypted. No plaintext files anymore with the captured details, no more plaintext internet requests. Everything is encrypted and most importantly all communication from the C&C server is encrypted as well. This effectively makes it impossible to sinkhole a mebroot C&C server. The mebroot trojan would immediately see that the connection is not from a genuine mebroot C&C server… Pretty clever…

In our case, two files were created in the c:WINDOWSTEMP folder, namely $$yt7.$$ and $$$dq3e. Both files are not visible in a directory listing and they hold the encrypted version of the stolen data.

The code injection into the browser processes is done as before through IAT hooks that TrustDefender’s Forensics Engine will pick up and the ‘Safe&Secure Mode’ will automatically protect the user by isolating the webbrowser’s process.

kfe

So again, all TrustDefender users and all financial institutions and enterprises who are employing the TrustDefender Enterprise Server are fully protected against this attack.

Analysis of stolen data through Torpig (deployed through Mebroot/MBR/Sinowal)

We have posted some technical analysis to the mebroot/MBR/Sinowal trojan lately and while we at TrustDefender Labs focus quite heavily on the analysis of the trojans and infection vectors itsself on the client side, Researchers at the University of California looked at the data they received on the server side. This compliments our research quite nicely as it provides hard facts how successful those attacks are and how much data the bad guys actually receive.

The research was done by Researchers at the Security Group, Department of Computer Science at University of California, Santa Barbara released a very interesting paper “Your botnet is my Botnet: Analysis of a Botnet Takeover”. (see http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html)

In this paper the security researchers “infiltrated” the Torpig C&C control network for a period of 10 days and their results are nothing less but astonishing.

In the 10 days, the sinkholed C&C Server collected almost 70GB of data. This data included stolen credentials from 52,540 different infected machines and they sent some 297,962 unique credentials (username/password), credentials of 8,310 bank accounts at 410 different financial institutions. Furthermore the data included more than 11 million HTTP(S) Form Data, 1,258,862 email accounts, 1,235,122 windows password, …

stolen_data_type

Key quotes by the original text are:

 The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).

The most common cards include Visa (1,056), Master-
Card (447), American Express (81), Maestro (36), and Discover
(24).

While 86% of the victims contributed only a single card number,
others offered a few more. Of particular interest is the case of a
single victim from whom 30 credit card numbers were extracted.
Upon manual examination, we discovered that the victim was an
agent for an at-home, distributed call center. It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center’s central database for order processing.

And very interestingly they also looked at the financial implications of this

Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. A report by Symantec [37] indicated (loose) ranges of prices for common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000.

If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M.

Also, a Torpig server was seized in 2008, resulting
in the recovery of 250,000 stolen credit and debit cards and 300,000 online bank account login credentials [31].

For more on the botnet hijack, check out UC Santa Barbara’s Torpig project page.  Also features on Slashdot.

New Mebroot/Sinowal/MBR/Torpig variant in the wild – virtually undetected and more dangerous than ever

Mebroot/Sinowal/MBR/Torpig has been active since end of 2007 and is one of the most sophisticated and also one of the most successul trojans of our time (see Wikipedia – http://en.wikipedia.org/wiki/Mebroot).

Since then, Mebroot underwent quite a few major advancements, and we looked at Mebroot in very much detail before(http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-%e2%80%93-better-than-ever/) analyzing the techniques it uses and also the flaws of the current protection systems as well as how TrustDefender provides a protection. 

However now since March 26, 2009 we are seeing a completely new variant with major “improvements” or “enhancements” and a clear focus on being undetected. It defeats all detection tools and methods in place today - (e.g. GMER has provided a technical analysis with a detection/removal tool here. However it is useless with this new variant). Your current Antivirus Solutions are almost all ineffective as Christian Donner wrote in his blog how he got infected even though he runs an on-access scanner with full scans from 3 different well known AV vendors. His special Linux boot CD with Kaspersky, Avira Antivir and Bitdefender didn’t detect anything! (http://cdonner.com/mebroot-root-kit-infection.htm)

We were analyzing one of the many drive-by-downloads of this new mebroot variant which has policies for 298 financial institutions, 44 of which are here in Australia and include 1st, 2nd and even the 3rd tier financial institutions as well as pretty much all backend banking service providers.

Technical Details

 

Infection

As we know, Mebroot is mainly deployed through a drivembr_infection-by-download when you visite “everyday” websites. We also know that the perpetrators behind Mebroot have lots of compromized FTP accounts available to compromize innocent websites. However being very professional and focused on staying under the radar, they only use as much as they require to achieve their success rate.

The sample we looked at, was delivered via an exploit to the recent Adobe Vulnerability (that was unfixed for almost 4 week!).

As you can see in the screenshot, there is a mysterious 20.tmp process running. This process will infect the Master-Boot-Record and trigger an automatic reboot of the machine after approx 10 minutes in our case.

 

Infected System

Mebroot will install Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it:

  • will steal login and other personal or confidential details from banking websites
  • can inject any HTML content into any website (websites can be encrypted with or without EV-SSL.) without detection
  • can capture CAPCHA and compromize virtual keyboards
  • can use the information in real-time to defeat One-Time-Passwords
  • has configuration files for many banking sites so that it knows exactly what to look out for
  • is incredibly hard to detect
  • works system-wide and therefore any browser is affected. (Yes, you heard right. Firefox and Chrome users are also affected)

So how does it work?

Well, we are still reverse-engineering and analyzing the trojan in detail, however after infecting the Master-Boot-Record, it employs a complicated mechanism to injects itself into the ATAPI Harddrive Driver to then inject core windows components (svchost.exe and services.exe) which then will hook/redirect functions for all processes that are used for internet transmissions. What’s important is that your webbrowser (Internet Explorer, Firefox, Opera, Chrome, …) is infected and they don’t even know it!

usermode_hooks1

 

E.g. the HttpOpenRequest and HttpSendRequest are used whenever Internet Data is transmitted (regardless whether it is encrypted or not!)

So what does Mebroot/MBR/Torpig do?

As said before, it is after your login credentials and personal information and the ability to manipulate this data either in real-time or use at a later date. It will either simply steal your data directly as it is typed or inject HTML code into the banking website to gather additional information.

1) Steal authentication data (including defeating virtual keyboards)

The stolen data is stored locally in a file (c:windowstemprg4sfay in our case) and will then transfer this file to the malicious hosts.

Here is an example with Firefox and a well-known banking site

 

 keylogging_1

Another example with a banking site that is using a virtual keyboard (note that Torpig easily gets the password from the virtual keyboard):

 

 keylogging_2_vk

2) Inject HTML Code into the banking website to steal additional data

See below two examples of banking services where additional information is requested. However as these forms appear after the customer logged in and come from an apparent trusted site, the success rates for the perpetrators of this trojan are much higher and more effective than ever before.

 

 htmlinjection2

and from another well-known banking provider

 

htmlinjection11

 

How does this Trojan work?

As mentioned above, we are still reverse-engineering this Trojan to gather all the details, however as the master-boot-record is infected, this Trojan injects itsself into various kernel drivers (atapi.sys in this case) . However this injection is only done in memory and no malicious components are ever written to the harddrive. This is why detection from Antivirus Engines is so low.

However as Torpig wants to steal data from your web browser process, it will hook key functions of the webbrowser process by patching the Import Address Table (IAT).

How can this Trojan be detected?

Well, as you would have guessed, Antivirus detection is almost zero for this new variant. This applies to the dropper/installer as well as to the payload. In fact I haven’t seen a single Antivirus Engine so far that can detect that Torpig is active.

You can detect this trojan as follows (no guarantee as this may change frequently)

  • did your computer restart without warning or bluescreen?
  • open the command prompt (cmd.exe) and go to the c:WINDOWSTEMP directory. Now execute “notepad rg4sfay” and if infected, you’ll see the stolen content. Plese note that this file is hidden and won’t be shown in the windows explorer.
  • download Process Explorer from Sysinternals and click on “services.exe” and check for open file handles (in the listbox below) for
    • any file references to WINDOWSTEMP…
    • file reference to !win$

However the best way to detect whether you are infected is to download TrustDefender and check the computer manually. As TrustDefender’s Forensics Engine will check the IAT of your browser processes, TrustDefender can easily detect Mebroot/Torpig and also protect you from it.

 The trojan can be removed by using the Windows Recovery Console as described e.g. here: http://www.precisesecurity.com/threats/bootmebroot/

How does TrustDefender protect you from Mebroot?

Naturally, TrustDefender provides an automatic protection against Mebroot for all customers of financial institutions that are part of our GAP Protection and all Financial Institutions part of the Financial Trust Network.

TrustDefender’s Forensics Engine will pick up the “hooked” windows functions in the web browser’s Process and will enable a safe&secure internet transaction by disabling the trojan for the current transaction.

forensics_engine2

As long as you see the TrustDefender GAP Window and the Safe&Secure Mode is activated, you are safe.

gapwindow

 

Additional Information / Is your Financial Institution affected?

For more detailed information and to find out whether your financial institution is affected, please feel free to contact us via email at info@trustdefender.com or directly via phone.

Banking Malware (BankPatch.C) shows that the bad guys are extremely innovative

We often get into situations where people thing that the “bad guys” are script kiddies that do this for fun. Every malware analyst will tell you that the innovation on the wrong side of the fence is astonishing…

Anyway, lets have a look at one of the latest examples of such innovation: Bankpatch.C.

Bankpatch is a fairly “old” trojan which first appeared beginning of 2007. However Bankpatch.C which was first released in September 2008 through to February 2009 has some major enhancements.

Generally Bankpatch.C is a banking trojan that is designed to compromise online banking transactions. It waits silently on the consumer or corporate computer up until it finds an internet request it is interested in (a targeted website it has policies for) and then comes to life. It then has the ability to steal your login details, but also to dynamically inject HTML into the existing login form to capture whatever information they require. Alarmingly HTML can be injected into a secured SSL website without the computer security or the website owner becoming aware that it has been compromised.

This is also one of the “real-time” trojans that have the potential to act in real-time to compromize One-Time-Passwords (OTP) as intercept the OTP before it is used to authenticate the account holder as they access the banking website.

Another avenue is to deploying targeted payloads depending on the webservices used. The most widely payload is a BHO (Browser Helper Object) called Infostealer.Nadebanker.

Symantec has written about Bankpatch here and it received a bit of press. Michael Hale Ligh has a very good technical writeup with standalone detection tools here.

From a technical point, the most interesting part of Bankpatch.C is the fact that it uses an interesting approach to “rootkit” the machine, i.e. to stay undetected. After the initial infection, Bankpatch.C will “patch” (change) three core windows files and will inject its own malicious code into these system files. Therefore Bankpatch.C is not even present on the system as an individual file/process/software.

So how does Bankpatch accomplish this?

First of all, Bankpatch will disable the Windows File Protection (WFP) that is designed by Microsoft to make sure that no-one changes core windows files. Good to know that WFP can easily be disabled!!!

After this is done, Bankpatch will modify the following three core windows files through Position Independent Code (PIC)

  • kernel32.dll
  • wininet.dll
  • powrprof.dll

Through patching these files, Bankpatch.C has now full control over

  • any file that is created, opened, written or closed (through patching kernel32.dll)
  • any internet connection that is opened, any webtraffic that comes in or leaves the computer, may it be encrypted or not (through patching wininet.dll)
  • with these functions, the trojan has pretty much full control over the machine!

Antivirus Detections seems to be very low and one problem that we constantly face is that once the system is infected, virtually no Antivirus Engine can detect that the system is compromized. There is no malicious software running on the system, no process, no nothing… However nobody seems to notice that core windows functions are not how they should be!!!

TrustDefender will detect BankPatch.C in two ways (defense-in-depth):

  1. through our whitelisting approach, TrustDefender detects that the core system libraries are NOT the legitimate ones
    processes1
  2. through our forensics analysis, TrustDefender detects that from a forensics point-of-view, these three files are suspicious.
    kfe

In Summary, BankPatch.C is a testimonial of some excellence from the bad guys and it further indicates what we all know: They are getting smarter and smarter.

The lesson to be learnt is that we (the good guys) need to be smarter and smarter as well and we need more innovative approaches like our kernel forensics engine.

Banking malware at its best: A detailed look at a new Zeus/Wsnpoem (Zbot) variant

I can’t believe that we haven’t blogged about Zeus/Wsnpoem, as it is one of the more common trojans that targets media and social networking websites especially financial institutions worldwide since more than 3 years now. However we are seeing the technology improving throughout this period. It steals user private and confidential information (form grabber), can inject arbitrary HTML code into any website (also encrypted websites), can steal certificates and will take screenshots to defeat virtual keyboards especially those virtual keyboards commonly used by financial institutions still today.

In addition to its business features, Zeus/Wsnpoem continues to be enhanced and is  one of the most advanced trojans from a technical point of view as well. The most important reasons are:

  • incredibly hard to detect once a system is infected (see below)
  • easy to use backend system provided
  • easy to configure by simple (but encrypted) configuration files.

So let’s have a detailed look what this trojan is doing.

Overview

Quite often, and simply a Zeus trojan is delivered via a Spam email (e.g. UPS Invoice) and once the dropper is executed, it will inject its self into key windows components. This means that the trojan will not be visible at all (e.g. in task manager), and all internet communication is performed by the “authentic” processes. This way the trojan can invade any firewall as well.

It will install its self (ntos.exe) into the Registry (HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserInit to make sure it will be started every time Windows starts. The initial ntos.exe process will inject its self into winlogon.exe (a core windows process) and will spread from there into every single process. The files on the harddrive are protected with rootkit features so they are not visible in the Windows Explorer. Altogether, it’s incredibly hard even for security professionals to detect whether the system is compromized!!!

A very detailed, very technical and very interesting study of one of the early variants of this trojan by Lance James and Michael Ligh can be found here: http://www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf. Even though this study is from 2006, most of the technical details are still valid and the paper is still current. As you would expect though, we have seen quite a bit of technical improvement.

Technical Details

The sample we looked at was MD5=8f5668c69fb4924ba15313dcf87f4d42 and according to Virustotal only 5 out of 38 detect this dropper. (http://www.virustotal.com/analisis/45625ba20a8d6e4c79cd10658efa9da8). Unfortunately we see this with almost all sophisticated trojans. The detection for new threats is way too low.

As discussed before, the trojan is neither visible as a user process nor as a system driver

all-good1

The only way to detect this trojan is to look at hooked system functions:

hooks

Our sample targeted 279 financial institutions, including 36 financial institutions in Australia (First, econd and third tier), including 3 of the four major Australian suppliers of banking backend services to mostly second and third tier financial institutions.

For a full list, please contact us at info@trustdefender.com

A normal user will not notice anything suspicious when he is doing an internet banking session. The trojan will do all its work in the background and our sample was very well written and we did not experience a single crash and could not notice any slowdown of the system at all! The Trojan would then send the captured information to the C&C server where this information is typically onsold. So the fraudsters who compromize the accounts are in most cases not identical with the fraudsters who steal your money! A fact that make life for Law Enforcement around the world very tricky.

How TrustDefender protects the user

TrustDefender will ‘detect’ and ‘successfully protect’ the user from any known Zeus/wsnpoem/zbot infection as TrustDefender will detect the system file hooking and with its secure lockdown it will isolate any potential malicious code (include the hooked code). If implemented by the financial institution, TrustDefender enables the financial institution to notify and provide feedback to the user within the login page based on the security health of the user’s computer and within a web2.0 environment…..most importantly before the customer puts in his or her confidential details i.e. ID, Password, 2nd factor security code.

yaludleboa-time-0_04_0306

If you opt to view the details, you can see that TrustDefender will detect the system hooks as part of its forensics engine

kernel-forensics1

However the most important part is not the details, the most important part is that ‘all TrustDefender users and those customers of financial institutions deploying TrustDefender are protected by default and by design’ – straight out of the box! No need to do anything. Let TrustDefender do the hard part.

However as always: Even though TrustDefender protects you from the attack, we believe in defence in depth and we recommend cleaning an infected system as soon as possible.

Are you infected? Removal

As the Trojan is almost impossible to detect from its files, the best way to see whether you are infected is to check the registry key HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserInit. Make sure that there is no ntos.exe in here. It it is, you are infected!!!

A complete removal is quite tricky as the files are rootkit-protected and cannot be easily deleted. However you can disable the trojan by removing the ntos.exe part (just that part!) in the above mentioned registry key. After a restart, the trojan will not be active. However the malicious files (protected by the rootkit) are still on the computer. In addition, the above mentioned study provides removal instructions in chapter 16.

Furthermore you can contact us at TrustDefender for more detailed information at info@trustdefender.com.

MBR/Mebroot/Sinowal/Torpig is back – better than ever

Just in time for Christmas 2008, we have been seeing a new wave of our old friend the MBR/Mebroot/Sinowal/Torpig rootkit. This is one of the nastiest rootkits the world has ever seen – with only one goal: To steal people’s money and their identity. The MBR rootkit has been covered heavily in our Kernel Forensics Whitepaper and as there have been so many improvements of this rootkit, we will revisit a few of them here in this blog.

First of all, it is quite heavily distributed through drive-by-downloads via Neosploit, which is a very advanced exploit framework to compromise website visitors. The whole distribution method is one of the most advanced and well-thought-through processes.

First of all, it employs geographic IP checking so that they control specifically who will be targeted. This way they can target special geographic locations, but could potentially also target home user making life harder for security professionals. In our case, we couldn’t get infected from Australia, but were easily infected from Germany!

Secondly, after infection, the loader will “sleep” for a random period of time before anything happens. In our case, we had to wait approx. 6 minutes before the Master-Boot-Record was changed. This was clearly done to fool security researchers and automatic malware testing tools (as they would execute the loader and not see any activity at all!!!)

Thirdly, as with all MBR/Mebroot infections, the malicious code will only run AFTER a reboot as the loader will just infect the Master-Boot-Record. It is not until the next reboot, the whole Mebroot boot sequence will begin.

The boot sequence is a complicated, seven step procedure and will ensure that the computer will be infected without any malicious process or component even running on the system. This is possible because Mebroot has full control over the boot sequence of Windows.

But how can Mebroot/Sinowal do their dirty work without a malicious component? Well, because Mebroot/Sinowal controls the boot sequence, it can inject the malicious code into existing/legitimate Windows Components. It will “hook” key functions that the Internet Explorer will use to do it’s day-to-day job like sending and receiving data and encrypting that data. Yes, you are right. Mebroot/Sinowal does have full control over the encrypted data stream as it has access to it before it will be encrypted and after it has been decrypted. The picture below shows the key parts where code was injected – mainly into explorer.exe and iexplore.exe (Internet Explorer)

hooked_functions1

 This is also the reason why the rootkit is so invisible – simply because there is no malicious component on its own running. An infected computer with Norton 2009 running will not detect anything even for a full computer scan.

nis2009_full_scan

But how does Mebroot/Sinowal actually work from a user’s perspective?

Well, as Mebroot/Sinowal have full control over the internet session; they will dynamically inject their own malicious HTML code into the banking website to either steal existing information or to steal additional information. This is typically done after the user is logged in to what is for all intense purposes the authenticated secure banking website and therefore almost all users will be deceived as they are sure that they are not at a phishing site.

Please note: The user is actually at the right site. The SSL certificate is correct and valid. You even see the green bar from your SSL EV certificate, however the content is injected locally by the Trojan. Below are two screenshots from Bank of America and Citibank where the Trojan injects its own HTML to get additional personal information from the user.

Technical Details

As per always on this blog, we will provide some technical background and how it looks like from a user’s point of view. A full technical description of Mebroot/Sinowal is available here: http://web17.webbpro.de/index.php/analysis-of-sinowal (thanks to Peter Kleissner)

We analyzed the following sample on Jan 5, 2009 and according to Virustotal, only 8 out of 38 Antivirus Engines detected this Mebroot/Sinowal sample (http://www.virustotal.com/analisis/fe95bd3e4e26a22c8be7b6f1ead6bcec). None of the big Antivirus Engines like F-Secure, McAfee, Sophos or Symantec detected it. At least Trend Micro’s heuristic engine came up with the name “Cryp_Xed-3″)

What are the Antivirus Engines doing?

This brings me to one of the main points of this post. “What on earth are the Antivirus Engines doing?” As always, we were doing our analysis on a clean machine without Antivirus Engine to see what the virus is doing.

However we couldn’t believe our eyes when we retested with Norton Internet Security 2009 running and it did just nothing. Norton Internet Security 2009 is one of the best Antivirus Engines with a fast scanner, a nice user interface and a good protection, however it did just nothing!!! The Mebroot/Sinowal installer successfully infected the Master-Boot-Record, after a restart, the machine was compromized and NIS 2009 was just silent. (Note: We really do not want to single out Norton 2009 here. As stated above we think it’s one of the best products and many people we know use it and for good reason. However you can imagine what the situation looks like for less advanced products like any of the free Antivirus products used by consumers today)

norton_2009_siteisapproved1

Side Note: This picture illustrates another problem of many “phishing” protection tools. I don’t think that the page as it is displayed belongs to the company represented…

Movie / TrustDefender

TrustDefender will successfully protect the user from this attack by default . TrustDefender will alert you that your Windows Kernel has been compromized and will automatically secure the internet banking transaction regardless.

We have put together a little screen capture movie that demonstrates how Mebroot/Sinowal successfully infects a customer’s PC even with Norton 2009 installed and how TrustDefender protects this use for a Bank of America session.

Please note: In this movie, TrustDefender does not run in quiet mode for this transaction with Bank of America as the TrustDefender Enterprise Server is not integrated with the BofA backend systems. Financial Institutions can integrate the Enterprise Server enabling the full functionality and run in a quiet mode protecting the consumer with little or no interaction required from the account holder. However TrustDefender Gold Customers will be protected regardless.

(click on the picture to start the movie)

movie

Outlook

We will leave this machine running and will update soon on how the Antivirus Engine will pick it up once they update their patterns. It will be quite interesting as there is no process running or anything… Let’s see.

The Trojan Vundo story

In this blog, we normally analyze nasty Trojans or other nasty stuff that is – in almost all cases – so new that very few Antivirus Engines can pick it up and protect the user (see e.g. the post about the yaludle/Silentbanker Trojan).

However, today the story is about a typical internet user, about Joe the Plumber, about the Hockey-Mum, about an old Trojan and about the reality out there in the world wide web.

Paula (not her real name) had AVG Free 8 and SUPERAntispyware installed and both components were up-to-date, however she got infected with a Trojan of the limbo family that stole her login names and passwords and only after 9 days it got removed partly by SUPERAntispyware and after 10 days completely by AVG. 10 days!!!

Two months later, she got infected again, this time with the Vundo Trojan even though she has AVG8 & SUPERAntispyware installed. Most probably she got infected through a vulnerability, through a compromised website and/or she got tricked into downloading it deliberately. Unfortunately we have seen this way too often.

But the most interesting part for us was the behavior of the user (Paula) and the current Security Software. For the first 7 days since infection, she didn’t notice anything. No alerts from AVG, however she noticed that she got to funny websites and got offered to install Antivirus 360!!! After approx 7 days, she got a message box from AVG saying that there are some DLL’s on her computer with the Vundo Trojan. However AVG couldn’t remove the DLL’s (as they were protected with rootkit-techniques). Now she knew her system is compromised but her Antivirus failed to secure her!!!

The issue here is that the lay person has no idea if they are protected or not and Paula was not protected.
What now happened is that whenever she opened a web browser, the Trojan would open more windows with Advertising, Adware, Spyware and other nasty stuff. Quite regularly she got alerted that her computer is infected and she would need to download XP Antivirus or Antivirus 360 to fix it. (What a great marketing as these websites know for sure that the machine is compromised ;-). Luckily she knew that she had already an Antivirus Engine running and didn’t download one of those rogue Antivirus Engines……even though this pop up sounded like a familiar named Antivirus Engine she had heard of before.

We thought this is a good field test and installed Norton Internet Security 2009 and after it forced us to remove AVG (apparently Symantec wants to rule the desktop!), it did a quick scan and alerted us that the computer is infected with Trojan Vundo. The Norton User Interface was actually very nice as it didn’t list all the infected files, it realized that they all belong to Vundo and only showed one line. Impressed with this, we found a button “Fix this” and thought we give it a try.

We got a nice green alert saying that the threat has been removed successfully and the computer is safe now. We thought that was really easy and even a typical internet user may be able to do this – until we restarted the machine.
The startup was uneventful and Norton did not alert us of anything. However when we used the webbrowser, other windows with adware/spyware appeared again!!! When we did a Quickscan in Norton 2009, the Trojan Vundo was back!!! A “Fix this” removed it (again), making us believe it is gone, but it will always re-appear……every time the user restarts the machine.

So in the end, we AVG Free 8 and SUPERAntispyware didn’t stop the Trojan from installing and doing its nasty work. Norton Internet Security 2009 provided a much better protection, however failed to remove the Trojan completely causing the potential ongoing threat to the user. And this for a Trojan that is around for more than 4 years (in various mutations)!!!! We as a security software industry can’t be serious. There has to be a better way. How can a typical user even think that they are protected by traditional Antivirus Engines?

We had to manually remove all entries in the various startup sections of the system as well as one BHO inside the Internet Explorer to successfully get rid of Vundo. Now we could remove the files with specialized tools (to counter the rootkit-component) to have a clean machine again :-)

Even though this Trojan was technically not very challenging or advanced, we learned a valuable lesson.

Some technical details

The Trojan consisted of three DLL’s. No executables were involved – this was clearly done to avoid detection from security tools that check the running processes. Two DLL’s were started during system startup with two entries into the HKLM…Run section with rundll32.exe (which is a totally legitimate Microsoft application) and one DLL was registered as a Browser-Helper-Object (BHO) in Internet Explorer.

Interestingly all three DLL’s were NOT visible in the Windows Explorer as they used user-mode rootkit techniques to avoid detection.

All three components checked the presence of each other, meaning that if you only remove the BHO but not the other DLL’s, the BHO will be automatically re-created. And if you remove the two startup DLLS’s but not the BHO, the two startup DLL’s will be recreated automatically as well.

Virustotal Detection is unfortunately again very low!

BTW: One of the offered rogue Antivirus Engines had the filename InstallAVg_770522170802.exe! Sounds familiar, doesn’t it?

TrustDefender

A quick note on TrustDefender: Even though Vundo does not try to steal confidential information like username/passwords, TrustDefender picked up the Vundo DLL’s from the first second with our whitelisting approach and the DLL’s were automatically removed from memory on-the-fly. Our rootkit scanner detected them without any problems. All TrustDefender users were protected, especially for any enterprises (Online businesses) that use the TrustDefender system, for all Financial Institutions that are part of our Financial Trust Network and for all self-defined websites.

Firefox Malware – ChromeInject – the honeymoon is over

After a few reports in the press around a new Malware that specifically targets Firefox users, we thought we have a more detailed look at this piece of malware.

In general, it only targets Firefox users. This fact will disturb many users that “escaped” Internet Explorer and switched over to Firefox for security reasons. It is long known that Firefox has with the XUL Interface and the Plugins a mechanism that is very similar to Internet Explorer’s BHO (Browser Helper Objects). In fact, the browser plugin is essentially just a DLL that can contain whatever content – including malicious one.

When we installed this component, the first interesting thing was that it will install itself silently without any user interaction or user notification. This is a bit disturbing as normally the Firefox User Design is quite well-thought through.

What this malware then does is as follows:

  • It has a pre-compiled list of hostnames that it watches for. If the user goes to any of these websites, the malware will load the malicious DLL and inject HTML into the current Firefox page.
  • This additional code will then steal any information they want, including username and passwords and other identity related information.
  • The sample we analyzed affected 103 financial institutions worldwide, including 10 financial institutions in Australia.

Technical Details

After the malware is installed, it is actually visible as a plugin, however it has the innocent name “Basic Example Plugin for Mozilla”

It hooks into the XUL engine and “watches” the internet traffic for the URL’s it is interested and injects then HTML code.

Overall this malware is not anywhere as sophisticated as the top-class trojans like silentbanker, Sinowal, …, however it gets the job done. A few things are worth mentioning as they are quite unique:

  • The malicious component (DLL) will only be loaded if the user goes to any of the URL’s the malware watches. This means that e.g. when you start Firefox, the system and all components are fine and the malware actually is not active in memory.
  • Only when the user enters one of the affected financial institutions website, the malicious DLL is loaded.

How to check whether you are infected?

You can check whether you are infected by openin your Firefox Browser and clickin on the Tools-Menu and select “Add-ons”. Then select the last tab called “Plugins” and make sure that you do not have a plugin called “Basic Example Plugin for Mozilla – npbasic”.

If you see this, you can disable the plugin by clicking on “disable”.

All TrustDefender users are protected by default from this attack.

In-depth look at a Silentbanker variant (Silentbanker.B)

Overview

We were looking last week at a compromised computer that was infected with the Silentbanker.B variant and we could recover all relevant files including the installer.
Initially the Silentbanker Installer was executed as a drive-by-download and as the Antivirus Engine had no signatures for it, it could install itself.
After that, the Silentbanker Trojan will use a number of techniques to steal confidential information:

  • It downloads encrypted configuration files from the internet to stay up-to-date with the policies
  • It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …
  • It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.
  • It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.

However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.

TrustDefender customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.

Technical Details
Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.

Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever :-)

If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.

     

 

 

 

Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C server located in Russia.

 

What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).

 

 

 

 

Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by german banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.

The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,

Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see http://www.virustotal.com/analisis/9e1c5e1c068fd0de61133594ca404519)