Tag Archives: mebroot

New Mebroot/Sinowal/MBR/Torpig variant in the wild – virtually undetected and more dangerous than ever

Mebroot/Sinowal/MBR/Torpig has been active since end of 2007 and is one of the most sophisticated and also one of the most successul trojans of our time (see Wikipedia – http://en.wikipedia.org/wiki/Mebroot).

Since then, Mebroot underwent quite a few major advancements, and we looked at Mebroot in very much detail before(http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-%e2%80%93-better-than-ever/) analyzing the techniques it uses and also the flaws of the current protection systems as well as how TrustDefender provides a protection. 

However now since March 26, 2009 we are seeing a completely new variant with major “improvements” or “enhancements” and a clear focus on being undetected. It defeats all detection tools and methods in place today - (e.g. GMER has provided a technical analysis with a detection/removal tool here. However it is useless with this new variant). Your current Antivirus Solutions are almost all ineffective as Christian Donner wrote in his blog how he got infected even though he runs an on-access scanner with full scans from 3 different well known AV vendors. His special Linux boot CD with Kaspersky, Avira Antivir and Bitdefender didn’t detect anything! (http://cdonner.com/mebroot-root-kit-infection.htm)

We were analyzing one of the many drive-by-downloads of this new mebroot variant which has policies for 298 financial institutions, 44 of which are here in Australia and include 1st, 2nd and even the 3rd tier financial institutions as well as pretty much all backend banking service providers.

Technical Details

 

Infection

As we know, Mebroot is mainly deployed through a drivembr_infection-by-download when you visite “everyday” websites. We also know that the perpetrators behind Mebroot have lots of compromized FTP accounts available to compromize innocent websites. However being very professional and focused on staying under the radar, they only use as much as they require to achieve their success rate.

The sample we looked at, was delivered via an exploit to the recent Adobe Vulnerability (that was unfixed for almost 4 week!).

As you can see in the screenshot, there is a mysterious 20.tmp process running. This process will infect the Master-Boot-Record and trigger an automatic reboot of the machine after approx 10 minutes in our case.

 

Infected System

Mebroot will install Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it:

  • will steal login and other personal or confidential details from banking websites
  • can inject any HTML content into any website (websites can be encrypted with or without EV-SSL.) without detection
  • can capture CAPCHA and compromize virtual keyboards
  • can use the information in real-time to defeat One-Time-Passwords
  • has configuration files for many banking sites so that it knows exactly what to look out for
  • is incredibly hard to detect
  • works system-wide and therefore any browser is affected. (Yes, you heard right. Firefox and Chrome users are also affected)

So how does it work?

Well, we are still reverse-engineering and analyzing the trojan in detail, however after infecting the Master-Boot-Record, it employs a complicated mechanism to injects itself into the ATAPI Harddrive Driver to then inject core windows components (svchost.exe and services.exe) which then will hook/redirect functions for all processes that are used for internet transmissions. What’s important is that your webbrowser (Internet Explorer, Firefox, Opera, Chrome, …) is infected and they don’t even know it!

usermode_hooks1

 

E.g. the HttpOpenRequest and HttpSendRequest are used whenever Internet Data is transmitted (regardless whether it is encrypted or not!)

So what does Mebroot/MBR/Torpig do?

As said before, it is after your login credentials and personal information and the ability to manipulate this data either in real-time or use at a later date. It will either simply steal your data directly as it is typed or inject HTML code into the banking website to gather additional information.

1) Steal authentication data (including defeating virtual keyboards)

The stolen data is stored locally in a file (c:windowstemprg4sfay in our case) and will then transfer this file to the malicious hosts.

Here is an example with Firefox and a well-known banking site

 

 keylogging_1

Another example with a banking site that is using a virtual keyboard (note that Torpig easily gets the password from the virtual keyboard):

 

 keylogging_2_vk

2) Inject HTML Code into the banking website to steal additional data

See below two examples of banking services where additional information is requested. However as these forms appear after the customer logged in and come from an apparent trusted site, the success rates for the perpetrators of this trojan are much higher and more effective than ever before.

 

 htmlinjection2

and from another well-known banking provider

 

htmlinjection11

 

How does this Trojan work?

As mentioned above, we are still reverse-engineering this Trojan to gather all the details, however as the master-boot-record is infected, this Trojan injects itsself into various kernel drivers (atapi.sys in this case) . However this injection is only done in memory and no malicious components are ever written to the harddrive. This is why detection from Antivirus Engines is so low.

However as Torpig wants to steal data from your web browser process, it will hook key functions of the webbrowser process by patching the Import Address Table (IAT).

How can this Trojan be detected?

Well, as you would have guessed, Antivirus detection is almost zero for this new variant. This applies to the dropper/installer as well as to the payload. In fact I haven’t seen a single Antivirus Engine so far that can detect that Torpig is active.

You can detect this trojan as follows (no guarantee as this may change frequently)

  • did your computer restart without warning or bluescreen?
  • open the command prompt (cmd.exe) and go to the c:WINDOWSTEMP directory. Now execute “notepad rg4sfay” and if infected, you’ll see the stolen content. Plese note that this file is hidden and won’t be shown in the windows explorer.
  • download Process Explorer from Sysinternals and click on “services.exe” and check for open file handles (in the listbox below) for
    • any file references to WINDOWSTEMP…
    • file reference to !win$

However the best way to detect whether you are infected is to download TrustDefender and check the computer manually. As TrustDefender’s Forensics Engine will check the IAT of your browser processes, TrustDefender can easily detect Mebroot/Torpig and also protect you from it.

 The trojan can be removed by using the Windows Recovery Console as described e.g. here: http://www.precisesecurity.com/threats/bootmebroot/

How does TrustDefender protect you from Mebroot?

Naturally, TrustDefender provides an automatic protection against Mebroot for all customers of financial institutions that are part of our GAP Protection and all Financial Institutions part of the Financial Trust Network.

TrustDefender’s Forensics Engine will pick up the “hooked” windows functions in the web browser’s Process and will enable a safe&secure internet transaction by disabling the trojan for the current transaction.

forensics_engine2

As long as you see the TrustDefender GAP Window and the Safe&Secure Mode is activated, you are safe.

gapwindow

 

Additional Information / Is your Financial Institution affected?

For more detailed information and to find out whether your financial institution is affected, please feel free to contact us via email at info@trustdefender.com or directly via phone.