TrustDefender Labs

Thanks to an effective PR strategy, most probably everybody has heard about URLZone by now. If not, you can find out more information regarding URLZone here or here.

We have been talking about it for some time and we already witnessed a few Trojans already using this technique. However, URLZone (or Bebloh) is now the first Trojan to come up with a professional setup to steal money from your account. Not only does it completely control your internet banking session, but it also automatically performs wire transfers to mule money accounts. If this isn’t bad enough, URLZone will then manipulate your online account statement to offset the fraudulent transaction (it can also remove the transaction or change the amount). The first time a victim would become aware of the fraudulent transaction(s) may be weeks or even months later – when they receive their paper statement in the mail! (that is if they get a paper statement at all… Lots of banks are trying to get rid of it altogether!)

Although real-time and session-based Trojans have been around for quite a while, they weren’t used in such a sophisticated way. An example was Yaludle (a Silentbanker variant), which injected HTML into the website that was dynamically retrieved from the web in real-time!

At the moment, only German banks are part of the URLZone configuration, but the bad guys can change the configuration at any second. Attacks against German online banks have always been very sophisticated simply because the German banks have employed one-time-password mechanisms (so called transaction numbers or TAN’s) for many years. Now the bad guys have found their way around it these mechanisms using such sophisticated techniques.

First generation attacks employing such Trojans saw the bad guys inject HTML code into the online banking login page to gather TAN’s in classical phishing attempts.

Then we saw more sophisticated attacks using variants of the well-known Bzub Trojan, which had the ability to perform wire transfers and remove them from the account statement.

Now we have URLZone doing silent wire transfers in the background and changing the online account statement.

Only as a result of the big amounts that these Trojans are fraudulently stealing are we beginning to hear about URLZone in the news, such as the recent $447,000 USD heist at Ferma in California, USA. While the manager had issued legitimate payments, the program initiated a further 27 transactions to various bank accounts, siphoning off a total of $447,000 USD in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s President (http://www.technologyreview.com/computing/23488/?a=f).

Another high-profile case was the gigantic Zeus botnet of recent, that also resulted in large amounts being stolen, such as the $415,000 USD heist at Bullitt County, Kentucky (http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html).

And let’s not forget Signs Designs Inc who also recently lost close to $100,000 USD in similar attacks (http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html).

In light of the above, I want to point out a few notes:

• Firstly – The problem has been around for a long time and it seems that people are only doing something about such threats when they are large enough to be mentioned in the press. That’s exactly what the intelligent botnets such as Mebroot/torpig are exploiting. By staying under the radar and not being too greedy they can do their dirty work and don’t have to worry about consequences. Their motto seems to be: Just keep the security industry busy with non-threats like conficker and they won’t hassle you.
• Secondly – This type of attack cannot be solved with 2-factor authentication.
• Thirdly – While there is much hype around URLZone at the moment around how amazing and disturbing it is that the bad guys can do such things, we will always have this problem if the bank’s security and the user’s security systems are not connected.
• Fourthly – While the Trojan is very, very sophisticated and advanced on the delivery side, they have made it incredibly easy for the good guys to catch them. Don’t expect this to happen in the future with new variants. We are still at the beginning…

One further thing to note is that since all real-time, session-based Trojans need to talk to a C&C server during the banking transaction, just one of TrustDefender’s many layers of protections will fully protect you against such attacks. Our “Secure Lockdown” knows all internet requests that belong to the financial institution and will block everything else while you are in a banking transaction. This will always protect you for all Trojans that work on this principle, not just for the likes of URLZone.

In addition, our Forensics Engine will also pick up the URLZone Trojan itself and will alert you of the infection, while also automatically disabling it for the period of the transaction. This will ensure you are always Safe and Secure while transacting online.

Due to popular demand, we have put together an in-depth TrustDefender Labs report about URLZone, which you can request by sending an email to labs@trustdefender.com. The in-depth report features the complete inner workings, together with an analysis of the configuration file and forensics information.

Andreas Baumhof Malware bebloh, online banking, trojan, urlzone

With much press attention, Microsoft released its free Antivirus Engine called Microsoft Security Essentials. We had a quick look at it and while Microsoft has done a pretty good job altogether (quick, nice user interface, fairly decent signature database), it is what it is: an Antivirus Engine that is based on blacklists / heuristics.

However this means MSE won’t protect you against the sophisticated Trojans that we hear in the press almost daily. We have successfully infected a machine with enabled and up-to-date MSE with a new mutation of the Zeus Trojan that is active in the wild. (for the interested reader, here is a screencapture movie that also shows how TrustDefender protects you from Zeus).

So in our opinion MSE will not make any impact on the malware landscape at all, however it will most certainly take market share from the other Antivirus Vendors and put the pressure on them from a pricing point of view.

Andreas Baumhof Uncategorized antivirus, blacklist, heuristics, Malware, microsoft, security essentials

It’s been a while since we last looked at and analysed a Silentbanker Trojan in October 2008 and we have written about it on our blog at http://www.trustdefender.com/blog for some time.

The last couple of weeks/months have been quiet for Silentbanker, but now Silentbanker is back in action, very alive and kicking. We now have another detailed look at these new variants, how they now operate and how they have continued to evolve from last year.

The interesting fact is that it hasn’t evolved that much and they haven’t included too many new features. This is partly because the Silentbanker Trojan has already an impressive list of features, including HTTP(S) form sniffing, network tracing, session hijacking and html web injection capabilities.

The Silentbanker Trojan will only affect Internet Explorer and not any other Browsers as it is implemented as a Browser-Helper-Object (BHO).

However compared to the new top dogs who have stepped up the pace and gained extensive publicity such as Zeus, Mebroot/Torpig or Clampi, it seems nowadays the Silentbanker Trojan is a fairly average sophisticated Trojan, as Silentbanker only employs basic rootkit techniques, uses no encryption for upload of the stolen data and has a fairly basic C&C infrastructure. This – however – doesn’t mean that Silentbanker is not up to the task. It just shows how much innovation the bad guys have shown for the other Trojans.

But as the Silentbanker Trojan is completely silent and won’t slow down the computer at all, most users will not find any suspicious behaviour and we assume that it was very effective especially in its first couple of weeks of operation.

In conclusion, it becomes pretty obvious that the Silentbanker Trojan has fallen behind the likes of Mebroot/Torpig, Clampi or Zeus in terms of sophistication. While this may be perceived as good news, the bad news is that this means that the employed techniques still work and on top of that that the creators will for sure enhance the Silentbanker Trojan in the future. Watch this space…

Installation

We analysed the Silentbanker dropper with MD5 of e1e2b3389dd2e020ae2783b8c6c80a08 which had a Virustotal detection of 12/41, 29.27% (http://www.virustotal.com/analisis/112946f35cf76ed853b44aeaf837cc5c9ad15722e46637e3af1f82b4b122f41b-1252598004)

The inner workings haven’t changed too much from the Silentbanker Trojans we analysed around the same time last year in October 2008.
The dropper will install a Brower-Helper-Object (BHO) and register its payload dll into the Internet Explorer. The payload was in our case mscorewr.dll (in c:\windows\system32\ folder) with a Virustotal detection of 9/41, 21.95% (http://www.virustotal.com/analisis/7b062ddb9dbc50cea53b98df892d4ceac003ece8551976085bd7ff57d5a5c664-1252582306).

The Silentbanker Trojan comes with a hard-coded C&C server which in our case was businessrest.cn (190.183.60.82).

Usermode hooks

Once the Silentbanker Trojan is active in memory (basically when the Internet Explorer starts), it will setup export hooks, so that it gets access to all transmitted internet traffic and to much more information.
Now, all sophisticated Trojans will hook core windows functions to compromise the system. Our Silentbanker Trojan hooked (or redirected) among others the following core windows functions: (full details available in the in-depth report)

• HttpOpenRequestA/W
• HttpSendRequestA/W
• InternetConnectW
• InternetReadFile
• InternetReadFileExA/W
• InternetWriteFile
• CommitUrlCacheEntryA/W

As you can see, it basically hooks all Internet related functions to get access to the Internet Traffic (even though it might be encrypted with SSL or EV-SSL!)

These usermode hooks enable the Trojan to do its dirty work.

HTML Web injection

The Silentbanker Trojan has also the capability to inject any arbitrary HTML code into a website and it makes use of this mainly to get additional information from the user. The disturbing fact is however that this is also possible with HTTPS together with EV-SSL certificates. This way, the website looks legitimate from all angles. The URL is correct, the SSL certificate is fine and the green bar is shown. The reason is that the website actually comes from the legitimate site; however the Silentbanker Trojan will locally inject its malicious HTML code to the site. The code depends for each financial institution and is part of the configuration file.

A few examples are:

How to detect the Silentbanker Trojan

As the Silentbanker Trojan is a Browser-Helper-Object (BHO), you’ll see it appearing in the “Manage Add-ons” option of the Internet Explorer (From the Menu, choose “Tools” and then “Manage Add-ons”).
In our case the Trojan was called “mscorewr” and pretended to be a “Macrovision” component.

How TrustDefender protects you

As you would expect, TrustDefender protects you against Silentbanker from the very first second. TrustDefender employs a defence-in-depth strategy, and we are happy to say that every single component alone will protect you against Silentbanker.

• Malicious BHO
  TrustDefender will automatically protect you from malicious Browser-Helper-Objects and makes sure that those components cannot penetrate the current session
• Usermode Hooks
  As described before, this is how Silentbanker will get access to all its information. TrustDefender’s Forensics Analysis will pick up these hooks and disables these hooks for the current session
• Secure Lockdown
  As Silentbanker works in realtime and will send the stolen credentials to its C&C server at the time of login, TrustDefender will automatically block this request as the Secure Lockdown will only allow internet requests that are associated with the current webservice (e.g. online bank).

Further Information

Further information can be obtained from the team at TrustDefender Labs. Just email us at labs@trustdefender.com.

Andreas Baumhof Malware bho, online banking, security, silentbanker, trojan, webinjection

Introduction

This is an in-depth analysis of a Trojan called Clampi or otherwise known as Ilomo or Clomp. Clampi got quite a bit of press coverage lately. As always, most press reports are not really technically correct and we look at Clampi here from a technical point of view.

The Clampi malware is one of the hardest malware to analyse. Even in the scope of the high-end of sophistication with well-known Trojans such as Mebroot, Silentbanker, Zeus, … Clampi is by far the hardest to analyse. Reasons for this are the multiple VMProtect protection, extensive use of encryption and unique design approaches such as the subversion of the registry to store the malicious files. No payload will ever be written to the harddrive. Clampi will download the encrypted files and store them in an encrypted format on the harddrive.

The way Clampi is setup; it is a very robust Trojan, both in terms of resilience and resistance. It can talk to numerous C&C servers and any payload can be deployed, so Clampi can be used for pretty much every malicious purpose.

Even though Clampi is incredibly sophisticated, there is still room for improvements and we believe there will be soon new variants of Clampi available that are much, much harder to detect as they “fix” the existing limitations.

However Clampi is not a new trojan. It is known since 2007 and the security industry didn’t really grasp the full scale of its badness due to the fact that nobody really knew what it is doing exactly for the reasons mentioned above. We hope we can shed a bit of light into the operation of Clampi and help strengthen the “good” side.

Please note that this public blog doesn’t contain all the technical information and we have an in-depth report of Clampi available for interested parties. Just send an email to labs@trustdefender.com.

Payload

After the installer executes, there will be a newly created file in %UserProfile%\Application Data\, which is either of the following

• svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe

The filenames look genuine and are pretty much all names from legitimate windows components; however these files are now instrumental for the Clampi infection. Note only the filename changes, the content and the MD5 of the file is always the same (61316320065e85ff4a6a594d7fedf141 in our case). Antivirus detection was fairly average as well with 18/41 AV engines detecting it (http://www.virustotal.com/analisis/21bd2536687790c8318ac5936d4cad37decf0fee808e4f4ca8c619485cbf8a16-1249326956). As with the installer, some big names didn’t detect it (such as AVG, F-Secure, and Kaspersky)

The payload is added to HKEY_CURRENT_USER \Software \Microsoft\Windows\CurrentVersion\Run so that it runs with every start. However it is noted that it will only start for the current user. Clampi will not add this registry to HKLM!

Automated analysis of the payload

Security researchers rely more and more on automated analysis of malware samples; however this automated analysis is still pretty limited as they don’t show anything in this particular case. Virustotal didn’t say anything and Anubis only noted that sound.exe started the Internet Explorer. While this is not suspicious at all, it already hints to one evasion technique of Clampi which we will analyse in more detail later.

• http://www.threatexpert.com/report.aspx?md5=61316320065e85ff4a6a594d7fedf141
• http://anubis.iseclab.org/?action=result&task_id=1e8b7c393794d8b74e9e0e1a02655f8f6&format=html

Execution

First of all, Clampi uses a number of evasion techniques that are quite extraordinary and special. Clampi breaks its functionality up into various parts and is using sophisticated techniques to perform its job and to stay undetected.

When the payload starts, it will automatically start an instance of the Internet Explorer as well.

 While this doesn’t seem too suspicious, a closer look reveals a number of very interesting facts:

• First of all, the iexplore.exe with PID 216 runs in suspended mode, which means that it is not accessible at all.
• Secondly, the iexplore.exe with PID 216 is the “real” and genuine iexplore.exe process, but it has some weird program arguments

This Internet Explorer process is responsible for all outgoing internet communication to the Clampi C&C server. This was clearly also done to evade Personal Firewalls as they would see an internet request from the legitimate Internet Explorer which is obviously allowed.

This also shows a limitation of the Clampi C&C server. Once you stop or kill the Internet Explorer Process, Clampi cannot talk to its C&C anymore and is basically defeated.

Download of 4 (or more) modules

After the original handshake, Clampi then initiates internet requests to the newly C&C servers and will download additional 4-6 payloads (depending on the C&C configuration) . However Clampi will never write these payloads to the harddrive!!! It will write them in encrypted form into the Registry at:

• HKCU\Software\Microsoft\Internet Explorer\Settings\M00
• HKCU\Software\Microsoft\Internet Explorer\ Settings\M01
• …

These payloads are the “real” nasty stuff and the bad news is that they are all encrypted over the wire and also in the registry. However in memory they have to be decrypted, so the encryption is not really the problem… They are all packed with VMProtect which makes analysis almost impossible! (see next chapter)

There is actually another module, which gets encrypted only in memory. Now these modules are all VMProtect protected – except M04 which is an exact copy of psexec.exe from sysinternals. We will later come to this in a bit more detail.

Registry layout

As mentioned before, after the initial infection, Clampi will never write anything to the disk anymore. This was clearly done to evade detection from Antivirus Engines that hook harddrive access. Clampi will write all its malicious files directly into the registry in an encrypted format

more detaila are available in the in-depth report.

Usermode Hooks

In the same way other sophisticated malware is “hooking” key windows function and redirecting them to their memory region, Clampi will hook

• HttpSendRequestA
• HttpSendRequestW
• InternetQueryDataAvailable
• InternetReadFile
• InternetReadFileExA

 

And with these hook, Clampi has access to all internet communication even if it is SSL encrypted. However these hooks will only installed for the Internet Explorer and NOT for Chrome of Firefox.

Location and availability of C&C Servers

available in the in-depth report.

How TrustDefender will protect its customers

TrustDefender will automatically protect all its customers against Clampi in several ways.

Firstly, for our enterprise customers, communication to the C&C servers is cut-off automatically due to our Secure Lockdown feature as part of the client policies.

Secondly, TrustDefender will identify the unknown process that starts the Internet Explorer and will prevent it from doing any harm.

Thirdly, TrustDefender will pickup the Windows Hooks and automatically resolves them so that the Internet Session is encapsulated from Clampi.

And fourthly, the Kernel Forensics Engine makes sure that the transaction is safe.

The following screenshot shows the detection of Clampi. Please note that in the OEM edition, this screen won’t appear and the information is handled by the Enterprise Server.

How to detect that a system is compromised

The detection is pretty easy if you have access to the machine. Simply check for the existence the Clampi Registry keys which are described in the Registry chapter before.  Check for existence HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Setting\GatesList and if you find this, you are infected.

Furthermore, check for a process with one of the following names (svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe) and check whether they have launched the Internet Explorer with procexp from sysinternals.

HOWEVER, don’t log in to infected workstations using domain administrator credentials as this is how it spreads (using psexec).

How to remove Clampi

Clampi can be fairly easily removed from the system without too much problem. However unlike Mebroot/Torpig, it will not store the stolen credentials on the local machine, so it’s not possible to detect exactly what has been stolen.

To remove Clampi, do the following:

• Kill the sound.exe process (or whatever the filename is) that launches the Internet Explorer.
  • This alone will already kill the C&C communication
  • Remove the file on your harddrive (usually in %UserProfile%\Application Data\)
  • Start the registry editor (regedit) and delete the following keys (make sure you do a backup of the registry before doing it)
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\GID
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\PID
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\GatesList
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\KeyM
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\KeyE
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\M00
    • …
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\M<XX>

    and

    • HKEY_CURRENT_USER \Software \Microsoft\Windows\CurrentVersion\Run\<NAME> (in our case Sound – just look for the one with the right value pointing to the executable in %UserProfile%\Application Data\

Restart the computer and Clampi should be removed.

Further Information

Further information can be obtained from TrustDefender at labs@trustdefender.com as well as the in-depth report of Clampi.

Andreas Baumhof Malware Clampi

As we received a number of requests for an in-depth analysis of the new Mebroot variant mentioned in the previous article, we have this report finally available.

If you are interested, please drop us an email to labs@trustdefender.com.

Andreas Baumhof Malware

As if the “old” mebroot trojan isn’t bad enough, the bad guys have released a new version of the highly successful e-banking trojan. And the bad news is that they changed a lot! Someone must have been busy over the last couple of months.

Basically the new version of Mebroot performs the same tasks and does the same badness as the previous versions that we have covered quite substantially on this blog before (see e.g. here and here).

However the big difference is that it is hiding in the system much much better as before to make sure

1. it can infect your system without you knowing
2. stay there as long as possible

To reiterate: Everything that was written how to detect mebroot is invalid and doesn’t apply anymore… No rg4sfay file in Windows\temp anymore, no reference to  \!win$… No detection with GMER’s special mbr.exe program and GMER itself only lists a couple of detached threads… Nothing really suspicious…

This new version also has the most exhaustive list of banking and broking websites we have seen – with virtually all major financial institutions in Australia, UK, USA, Spain, Italy, Germany and more. But also more and more non-bank websites are part of this list, like partycashier.com (the online payment from a popular poker site) and government sites like pay.gov (electronic payments to the US Govt). To find out whether your financial institution is affected, please do get in touch with us. (send an email to info@trustdefender.com)

Technical Details:

From a technical point of view, lots has changed in this version, however the core is still the same and Mebroot will inject itsself into services.exe which then holds also the configuration file and is in control of the updating process to the C&C server.

However everything is now encrypted. No plaintext files anymore with the captured details, no more plaintext internet requests. Everything is encrypted and most importantly all communication from the C&C server is encrypted as well. This effectively makes it impossible to sinkhole a mebroot C&C server. The mebroot trojan would immediately see that the connection is not from a genuine mebroot C&C server… Pretty clever…

In our case, two files were created in the c:\WINDOWS\TEMP folder, namely $$yt7.$$ and $$$dq3e. Both files are not visible in a directory listing and they hold the encrypted version of the stolen data.

The code injection into the browser processes is done as before through IAT hooks that TrustDefender’s Forensics Engine will pick up and the ‘Safe&Secure Mode’ will automatically protect the user by isolating the webbrowser’s process.

So again, all TrustDefender users and all financial institutions and enterprises who are employing the TrustDefender Enterprise Server are fully protected against this attack.

Andreas Baumhof Malware

We have posted some technical analysis to the mebroot/MBR/Sinowal trojan lately and while we at TrustDefender Labs focus quite heavily on the analysis of the trojans and infection vectors itsself on the client side, Researchers at the University of California looked at the data they received on the server side. This compliments our research quite nicely as it provides hard facts how successful those attacks are and how much data the bad guys actually receive.

The research was done by Researchers at the Security Group, Department of Computer Science at University of California, Santa Barbara released a very interesting paper “Your botnet is my Botnet: Analysis of a Botnet Takeover”. (see http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html)

In this paper the security researchers “infiltrated” the Torpig C&C control network for a period of 10 days and their results are nothing less but astonishing.

In the 10 days, the sinkholed C&C Server collected almost 70GB of data. This data included stolen credentials from 52,540 different infected machines and they sent some 297,962 unique credentials (username/password), credentials of 8,310 bank accounts at 410 different financial institutions. Furthermore the data included more than 11 million HTTP(S) Form Data, 1,258,862 email accounts, 1,235,122 windows password, …

Key quotes by the original text are:

 The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).

The most common cards include Visa (1,056), Master-
Card (447), American Express (81), Maestro (36), and Discover
(24).

While 86% of the victims contributed only a single card number,
others offered a few more. Of particular interest is the case of a
single victim from whom 30 credit card numbers were extracted.
Upon manual examination, we discovered that the victim was an
agent for an at-home, distributed call center. It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center’s central database for order processing.

And very interestingly they also looked at the financial implications of this

Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. A report by Symantec [37] indicated (loose) ranges of prices for common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000.

If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M.

Also, a Torpig server was seized in 2008, resulting
in the recovery of 250,000 stolen credit and debit cards and 300,000 online bank account login credentials [31].

For more on the botnet hijack, check out UC Santa Barbara’s Torpig project page.  Also features on Slashdot.

Andreas Baumhof Uncategorized

Mebroot/Sinowal/MBR/Torpig has been active since end of 2007 and is one of the most sophisticated and also one of the most successul trojans of our time (see Wikipedia – http://en.wikipedia.org/wiki/Mebroot).

Since then, Mebroot underwent quite a few major advancements, and we looked at Mebroot in very much detail before(http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-%e2%80%93-better-than-ever/) analyzing the techniques it uses and also the flaws of the current protection systems as well as how TrustDefender provides a protection. 

However now since March 26, 2009 we are seeing a completely new variant with major “improvements” or “enhancements” and a clear focus on being undetected. It defeats all detection tools and methods in place today - (e.g. GMER has provided a technical analysis with a detection/removal tool here. However it is useless with this new variant). Your current Antivirus Solutions are almost all ineffective as Christian Donner wrote in his blog how he got infected even though he runs an on-access scanner with full scans from 3 different well known AV vendors. His special Linux boot CD with Kaspersky, Avira Antivir and Bitdefender didn’t detect anything! (http://cdonner.com/mebroot-root-kit-infection.htm)

We were analyzing one of the many drive-by-downloads of this new mebroot variant which has policies for 298 financial institutions, 44 of which are here in Australia and include 1st, 2nd and even the 3rd tier financial institutions as well as pretty much all backend banking service providers.

Technical Details

 

Infection

As we know, Mebroot is mainly deployed through a drive-by-download when you visite “everyday” websites. We also know that the perpetrators behind Mebroot have lots of compromized FTP accounts available to compromize innocent websites. However being very professional and focused on staying under the radar, they only use as much as they require to achieve their success rate.

The sample we looked at, was delivered via an exploit to the recent Adobe Vulnerability (that was unfixed for almost 4 week!).

As you can see in the screenshot, there is a mysterious 20.tmp process running. This process will infect the Master-Boot-Record and trigger an automatic reboot of the machine after approx 10 minutes in our case.

 

Infected System

Mebroot will install Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it:

• will steal login and other personal or confidential details from banking websites
• can inject any HTML content into any website (websites can be encrypted with or without EV-SSL.) without detection
• can capture CAPCHA and compromize virtual keyboards
• can use the information in real-time to defeat One-Time-Passwords
• has configuration files for many banking sites so that it knows exactly what to look out for
• is incredibly hard to detect
• works system-wide and therefore any browser is affected. (Yes, you heard right. Firefox and Chrome users are also affected)

So how does it work?

Well, we are still reverse-engineering and analyzing the trojan in detail, however after infecting the Master-Boot-Record, it employs a complicated mechanism to injects itself into the ATAPI Harddrive Driver to then inject core windows components (svchost.exe and services.exe) which then will hook/redirect functions for all processes that are used for internet transmissions. What’s important is that your webbrowser (Internet Explorer, Firefox, Opera, Chrome, …) is infected and they don’t even know it!

 

E.g. the HttpOpenRequest and HttpSendRequest are used whenever Internet Data is transmitted (regardless whether it is encrypted or not!)

So what does Mebroot/MBR/Torpig do?

As said before, it is after your login credentials and personal information and the ability to manipulate this data either in real-time or use at a later date. It will either simply steal your data directly as it is typed or inject HTML code into the banking website to gather additional information.

1) Steal authentication data (including defeating virtual keyboards)

The stolen data is stored locally in a file (c:\windows\temp\rg4sfay in our case) and will then transfer this file to the malicious hosts.

Here is an example with Firefox and a well-known banking site

 

 

Another example with a banking site that is using a virtual keyboard (note that Torpig easily gets the password from the virtual keyboard):

 

 

2) Inject HTML Code into the banking website to steal additional data

See below two examples of banking services where additional information is requested. However as these forms appear after the customer logged in and come from an apparent trusted site, the success rates for the perpetrators of this trojan are much higher and more effective than ever before.

 

 

and from another well-known banking provider

 

 

How does this Trojan work?

As mentioned above, we are still reverse-engineering this Trojan to gather all the details, however as the master-boot-record is infected, this Trojan injects itsself into various kernel drivers (atapi.sys in this case) . However this injection is only done in memory and no malicious components are ever written to the harddrive. This is why detection from Antivirus Engines is so low.

However as Torpig wants to steal data from your web browser process, it will hook key functions of the webbrowser process by patching the Import Address Table (IAT).

How can this Trojan be detected?

Well, as you would have guessed, Antivirus detection is almost zero for this new variant. This applies to the dropper/installer as well as to the payload. In fact I haven’t seen a single Antivirus Engine so far that can detect that Torpig is active.

You can detect this trojan as follows (no guarantee as this may change frequently)

• did your computer restart without warning or bluescreen?
• open the command prompt (cmd.exe) and go to the c:\WINDOWS\TEMP directory. Now execute “notepad rg4sfay” and if infected, you’ll see the stolen content. Plese note that this file is hidden and won’t be shown in the windows explorer.
• download Process Explorer from Sysinternals and click on “services.exe” and check for open file handles (in the listbox below) for
  • any file references to \WINDOWS\TEMP\…
  • file reference to \!win$

However the best way to detect whether you are infected is to download TrustDefender and check the computer manually. As TrustDefender’s Forensics Engine will check the IAT of your browser processes, TrustDefender can easily detect Mebroot/Torpig and also protect you from it.

 The trojan can be removed by using the Windows Recovery Console as described e.g. here: http://www.precisesecurity.com/threats/bootmebroot/

How does TrustDefender protect you from Mebroot?

Naturally, TrustDefender provides an automatic protection against Mebroot for all customers of financial institutions that are part of our GAP Protection and all Financial Institutions part of the Financial Trust Network.

TrustDefender’s Forensics Engine will pick up the “hooked” windows functions in the web browser’s Process and will enable a safe&secure internet transaction by disabling the trojan for the current transaction.

As long as you see the TrustDefender GAP Window and the Safe&Secure Mode is activated, you are safe.

 

Additional Information / Is your Financial Institution affected?

For more detailed information and to find out whether your financial institution is affected, please feel free to contact us via email at info@trustdefender.com or directly via phone.

Andreas Baumhof Malware mebroot

We often get into situations where people thing that the “bad guys” are script kiddies that do this for fun. Every malware analyst will tell you that the innovation on the wrong side of the fence is astonishing…

Anyway, lets have a look at one of the latest examples of such innovation: Bankpatch.C.

Bankpatch is a fairly “old” trojan which first appeared beginning of 2007. However Bankpatch.C which was first released in September 2008 through to February 2009 has some major enhancements.

Generally Bankpatch.C is a banking trojan that is designed to compromise online banking transactions. It waits silently on the consumer or corporate computer up until it finds an internet request it is interested in (a targeted website it has policies for) and then comes to life. It then has the ability to steal your login details, but also to dynamically inject HTML into the existing login form to capture whatever information they require. Alarmingly HTML can be injected into a secured SSL website without the computer security or the website owner becoming aware that it has been compromised.

This is also one of the “real-time” trojans that have the potential to act in real-time to compromize One-Time-Passwords (OTP) as intercept the OTP before it is used to authenticate the account holder as they access the banking website.

Another avenue is to deploying targeted payloads depending on the webservices used. The most widely payload is a BHO (Browser Helper Object) called Infostealer.Nadebanker.

Symantec has written about Bankpatch here and it received a bit of press. Michael Hale Ligh has a very good technical writeup with standalone detection tools here.

From a technical point, the most interesting part of Bankpatch.C is the fact that it uses an interesting approach to “rootkit” the machine, i.e. to stay undetected. After the initial infection, Bankpatch.C will “patch” (change) three core windows files and will inject its own malicious code into these system files. Therefore Bankpatch.C is not even present on the system as an individual file/process/software.

So how does Bankpatch accomplish this?

First of all, Bankpatch will disable the Windows File Protection (WFP) that is designed by Microsoft to make sure that no-one changes core windows files. Good to know that WFP can easily be disabled!!!

After this is done, Bankpatch will modify the following three core windows files through Position Independent Code (PIC)

• kernel32.dll
• wininet.dll
• powrprof.dll

Through patching these files, Bankpatch.C has now full control over

• any file that is created, opened, written or closed (through patching kernel32.dll)
• any internet connection that is opened, any webtraffic that comes in or leaves the computer, may it be encrypted or not (through patching wininet.dll)
• with these functions, the trojan has pretty much full control over the machine!

Antivirus Detections seems to be very low and one problem that we constantly face is that once the system is infected, virtually no Antivirus Engine can detect that the system is compromized. There is no malicious software running on the system, no process, no nothing… However nobody seems to notice that core windows functions are not how they should be!!!

TrustDefender will detect BankPatch.C in two ways (defense-in-depth):

1. through our whitelisting approach, TrustDefender detects that the core system libraries are NOT the legitimate ones
   
2. through our forensics analysis, TrustDefender detects that from a forensics point-of-view, these three files are suspicious.
   

In Summary, BankPatch.C is a testimonial of some excellence from the bad guys and it further indicates what we all know: They are getting smarter and smarter.

The lesson to be learnt is that we (the good guys) need to be smarter and smarter as well and we need more innovative approaches like our kernel forensics engine.

Andreas Baumhof Malware

I can’t believe that we haven’t blogged about Zeus/Wsnpoem, as it is one of the more common trojans that targets media and social networking websites especially financial institutions worldwide since more than 3 years now. However we are seeing the technology improving throughout this period. It steals user private and confidential information (form grabber), can inject arbitrary HTML code into any website (also encrypted websites), can steal certificates and will take screenshots to defeat virtual keyboards especially those virtual keyboards commonly used by financial institutions still today.

In addition to its business features, Zeus/Wsnpoem continues to be enhanced and is  one of the most advanced trojans from a technical point of view as well. The most important reasons are:

• incredibly hard to detect once a system is infected (see below)
• easy to use backend system provided
• easy to configure by simple (but encrypted) configuration files.

So let’s have a detailed look what this trojan is doing.

Overview

Quite often, and simply a Zeus trojan is delivered via a Spam email (e.g. UPS Invoice) and once the dropper is executed, it will inject its self into key windows components. This means that the trojan will not be visible at all (e.g. in task manager), and all internet communication is performed by the “authentic” processes. This way the trojan can invade any firewall as well.

It will install its self (ntos.exe) into the Registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit to make sure it will be started every time Windows starts. The initial ntos.exe process will inject its self into winlogon.exe (a core windows process) and will spread from there into every single process. The files on the harddrive are protected with rootkit features so they are not visible in the Windows Explorer. Altogether, it’s incredibly hard even for security professionals to detect whether the system is compromized!!!

A very detailed, very technical and very interesting study of one of the early variants of this trojan by Lance James and Michael Ligh can be found here: http://www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf. Even though this study is from 2006, most of the technical details are still valid and the paper is still current. As you would expect though, we have seen quite a bit of technical improvement.

Technical Details

The sample we looked at was MD5=8f5668c69fb4924ba15313dcf87f4d42 and according to Virustotal only 5 out of 38 detect this dropper. (http://www.virustotal.com/analisis/45625ba20a8d6e4c79cd10658efa9da8). Unfortunately we see this with almost all sophisticated trojans. The detection for new threats is way too low.

As discussed before, the trojan is neither visible as a user process nor as a system driver

The only way to detect this trojan is to look at hooked system functions:

Our sample targeted 279 financial institutions, including 36 financial institutions in Australia (First, econd and third tier), including 3 of the four major Australian suppliers of banking backend services to mostly second and third tier financial institutions.

For a full list, please contact us at info@trustdefender.com

A normal user will not notice anything suspicious when he is doing an internet banking session. The trojan will do all its work in the background and our sample was very well written and we did not experience a single crash and could not notice any slowdown of the system at all! The Trojan would then send the captured information to the C&C server where this information is typically onsold. So the fraudsters who compromize the accounts are in most cases not identical with the fraudsters who steal your money! A fact that make life for Law Enforcement around the world very tricky.

How TrustDefender protects the user

TrustDefender will ‘detect’ and ‘successfully protect’ the user from any known Zeus/wsnpoem/zbot infection as TrustDefender will detect the system file hooking and with its secure lockdown it will isolate any potential malicious code (include the hooked code). If implemented by the financial institution, TrustDefender enables the financial institution to notify and provide feedback to the user within the login page based on the security health of the user’s computer and within a web2.0 environment…..most importantly before the customer puts in his or her confidential details i.e. ID, Password, 2nd factor security code.

If you opt to view the details, you can see that TrustDefender will detect the system hooks as part of its forensics engine

However the most important part is not the details, the most important part is that ‘all TrustDefender users and those customers of financial institutions deploying TrustDefender are protected by default and by design’ – straight out of the box! No need to do anything. Let TrustDefender do the hard part.

However as always: Even though TrustDefender protects you from the attack, we believe in defence in depth and we recommend cleaning an infected system as soon as possible.

Are you infected? Removal

As the Trojan is almost impossible to detect from its files, the best way to see whether you are infected is to check the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. Make sure that there is no ntos.exe in here. It it is, you are infected!!!

A complete removal is quite tricky as the files are rootkit-protected and cannot be easily deleted. However you can disable the trojan by removing the ntos.exe part (just that part!) in the above mentioned registry key. After a restart, the trojan will not be active. However the malicious files (protected by the rootkit) are still on the computer. In addition, the above mentioned study provides removal instructions in chapter 16.

Furthermore you can contact us at TrustDefender for more detailed information at info@trustdefender.com.

Andreas Baumhof Malware