We were analyzing an interesting piece of malware today which is a recent mutation of the yaludle/silentbanker trojan with rootkit capabilities.

This rootkit is typically installed via drive-by downloads.

It targets financial institutions worldwide (with a focus on US, Germany, Spain, Australia) and as the silentbanker versions before, it can successfully cicrumvent Two-Factor-Authentication, which is why quite a few banks with 2FA solutions are targeted.

The trojan operates in two modes:

1. completely silent (this is typically for banks with just username/password) and just “uploads” the collected information in real-time in an encrypted way to a malicious host
2. it introduces dynamically (in real-time) malicious HTML elements into the banks website to collect additional information. This malicious HTML elements appear within the bank’s site, so nobody (not even security experts) can spot anything suspicious.

As we would have expected, virtually no Antivirus Engines were detecting this Rootkit (1/36, 2.78%, http://www.virustotal.com/analisis/756098da62febc1ae372f947e2b62184)

This is the original citibank site when someone tries to login with a wrong username/password (so no yaludle/silentbanker here) (click the image for bigger picture)

 

This is the citibank site in exactly the same scenario, this time yaludle/silentbanker is active. (Note the yellow padlock and the correct URL!!!) (click the image for bigger picture)

How to detect this Rootkit

This rootkit creates the following registry key and thus can be detected if this key is present

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32
wave1 = "<RANDOM>1.CPX"

Also the <RANDOM>1.CPX file is present in the C:WINDOWSSYSTEMS32 directory.

TrustDefender

All TrustDefender users (most notably all of our enterprise customers) are protected as TrustDefender’s Secure Lockdown will make sure that no personal information will leave the computer as it will only allow internet requests to the banks website.

Also all TrustDefender users are also protected for all banks who are part of our Financial Trust Network (see http://www.trustdefender.com/lang-en/support-portal/knowledge-base/knowledge-base-article?id=50120000000DB0q)

more information

please contact us at support@trustdefender.com if you want to know if your financial institution is affected or you need more information.

When we recently got hold of a new “trick” to load a driver bypassing HIPS and security programs that block SYS drivers when they are loaded, we thought we give it a go…

While there is a bit of discussion whether this is actually a new mutation or the famous rustock.b rootkit, it looks more like a zlob variant.

Whatever the nomenclature, this piece of malware is very sophisticated in the way it infects your system and also in the way it works.

First of all, it bypasses HIPS and other security programs by using a little known trick that exploits loose security settings with a system wide cache of internal windows objects (KnownDlls). This enables the driver to be installed silently.

Secondly, this rootkit resides solely in kernel space and has no user mode component at all. It hooks into your google search and while you think you get to the search result, this rootkit controls the session and gives you content that you definitely don’t want to see… Pretty scary stuff, as nobody would realize that the google search page is infected!!!

But see yourself… Simply click on the screenshot below or click here to start the video.

P.S. you’ll also see how TrustDefender’s Kernel Forensics Engine will pick this up and how financial institutions can protect their customers _before_ anything bad happens…

We at TrustDefender Labs have seen a quite dramatic increase in so-called “Rogue Antivirus Enines“. These have been around for several years, but the sophistication to trick users to install them are mind-blowing…

We looked at a wsnpoem malware that served as a dropper for the adware called “XP Security Center”. Everything looks really authentic and even though the system was clean before, the adware will physically create random files and pretend they are malware… Then they harrass you to buy the XP Security center for $49.95 a year to get rid of them…

The lesson to be learned is that it gets harder and harder to distinguish legitimate and genuine software from fake and rogue software.

Have a look at a screencapture yourself… (click on the image to start the streaming video)

Back in January 2008, we looked at how the TrustDefender Kernel Forensics Engine can detect the Silentbanker Trojan and the Master Boot Record (MBR) virus.

Since then, many new variants of te same rootkits have been released and we thought we have a more detailed look into a new variant of the MBR Rootkit (Torpig)

Alarmingly we found that the wider Antirivus products do not pick up this variant (and possibly also earlier ones) more or less at all (!)

Almost not a single Antivirus Engine was detected the MBR/Torpig-Dropper when we got a sample. When we checked it first, 2 out of 33 (6%) of the Antivirus Engines detected some suspicious behavior (see Attachment 1).

The next day, only 11 out of 33 (33%) detected the threat with some of the big names still not protecting their customers like CA, McAfee, Sophos or Symantec. (see Attachment 2).”
This variant of the MBR/Torpig trojan is installed as a drive-by download which is triggered by some highly obscusfated Javascript Code. So, innocent users won’t even notice any download or installation, especially If they haven’t kept their Windows up-to-date. Even for those who are up-to-date or if they have accidently allowed the program to run, it’s game over.

 
Attachment 1 – Virustotal Result

 
Attachment 2 – Virustotal result next day

Attachment 3 – TrustDefender Kernel Forensics Dialog