Well, here we are again… After the gang behind Zeus released a new major release of the Zeus Trojan (dubbed Zeus v2), it has received quite a bit of media attention. Our report provides an in-depth look at this new threat from a technical level to provide interested parties detailed information what Zeus v2 does and how it performs its dirty tasks.

Although we have covered the Zeus Trojan in the past, we are once again amazed by the innovation and the effort the bad guys have put in place to keep ahead of traditional security initiatives that do not involve the user’s desktop.

These “advancements” can be grouped into two broad categories; development of the core Zeus platform (Trojan and backend) and development of additional functionalities (such as an instant messaging notification capacity and an extensive JavaScript engine for dynamic challenge/response harvesting and real-time activities).

Although both of these categories are equally disturbing, this post will focus on advancements of the Zeus Trojan core platform that have enabled Zeus to target Firefox users as well as run on newer operating systems that have extensive security features inbuilt into them to make life for such Trojans much harder, namely Windows Vista and Windows 7.

These inbuilt hardening features are a result of Microsoft’s development over the past few years in a response to the proliferation of such Trojans targeting their operating systems and browser. We just hope that other vendors are as equally prepared as the bad guys start turning their attention to them with new variants of the respective Trojans.

In addition, these advancements clearly show how the bad guys are willing to adopt new strategies in response to market trends. The more success Firefox has, the more of a target it is going to be. A recent study noted that the market share of Internet Explorer had fallen below 60%[1], and since then we have seen the bad guys trying to increase their market share by targeting Firefox.

Although we have previously seen custom built Zeus Trojans that have such enhancements enabled, these features are now in the core Zeus binary with “official” support and maintenance. This means that these previously custom features are now available to everybody and we believe there will be a big surge of Zeus activity as a result.

In the next part of the Zeus in-depth reports we will look more closely at the “additional” features of Zeus, namely advanced configuration file options and the extensive JavaScript engine for dynamic challenge/response harvesting and real-time activities.

This blog contains some information available in our in-depth report that is available on request by sending an email to labs@trustdefender.com.

SOCKS proxy

Installation

Upon installation on Windows XP, we noticed that we did get a warning from the operating system, as depicted below:

This is the default dialog if a program wants to listen and accept connections on the computer; however we haven’t seen this dialog even with previous Zeus variants as they were running as administrators where it was possible to get around this notification.

The interesting thing here is that Windows is asking the user to unblock the Windows Explorer program. There is no reference to any third-party software or anything suspicious, thus making this confirmation actually look fairly legitimate.

On Windows Vista and Windows 7, you’ll experience the same confirmation but it looks slightly different:

But once again, a legitimate Windows process (taskhost.exe) is asking to be allowed by the user!!!

The “funny” thing is that in the case of Zeus v2 running as administrator, there is no need for this security alert when using the built-in Windows Firewall as the Windows Firewall is probably the only firewall in the world where you can programmatically allow any program (see the fairly undocumented Windows API WindowsFirewallAddApp).

Functionality

The above dialog is produced by Windows as the Zeus v2 Trojan tries to listen and accept connections from the computer. In all of our samples, this port was port 13851 as per the screenshot below and Zeus v2 operates a SOCKS proxy on this port.

This SOCKS proxy allows the bad guys to relay any internet requests through the victim’s computer, which in turn means that any internet requests that the bad guys execute will show up as if it would have been done by the victim. So any passive fingerprinting technologies employed by the web service provider will always see the correct public IP address (and thus the corresponding geographic lookup). This is in use by many risk engines for web authentication.

The SOCKS proxy has another advantage: The bad guys can relay any TCP and UDP traffic through the victim’s machine.

However please note that this SOCKS feature is not new, however obviously we haven’t seen this feature in active on non-administrator accounts! And on Windows Vista and Windows 7, there is actually a big chance that users will allow this as the warning mentions that a legitimate Windows component needs permission to run!!! This is definitely new.

Initial Handshake, Configuration file

See the in-depth report

Firefox Hooking

As mentioned above, this Zeus variant is capable of compromising Firefox in exactly the same way it compromises Internet Explorer. As a result, you will find that a Zeus infected system will have quite a few “hooks” of legitimate Windows functions internally.

These “hooks” mean that the Zeus Trojan is making sure that when Firefox calls HttpSendRequest, the call does not go directly to the Windows API, but rather via the Zeus Trojan before going to the Windows API. In doing this, Zeus has full control over the HTTP and HTTPS sessions made by the Firefox browser.

GMER and other rootkit hooking tools detect the following hooks into the Firefox browser.

However the interesting thing is that GMER and other rootkit tools seem to miss a few hooks as these functions are not really used by Firefox. The above functions are from WININET.dll and Firefox uses its own API to connect to the Internet. It also uses OpenSSL for SSL encryption/decryption and all these functions are wrapped in nspr4.dll (which resides in the Firefox program folder).

For an overview of how these are used, please refer to the Mozilla documentation at: http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslintro.html

If we look more closely, we can see the key functions that are hooked for Firefox are the following ones from nspr4.dll (naturally, we can use TrustDefender for this task .

As per the above documentation from Mozilla, if you have full control over PR_Read and PR_Write, you have full control over any Internet connection that Firefox is making, regardless of whether it is HTTP or HTTPS. It also doesn’t even matter whether it is a site with an EV-SSL certificate, as seen in the below image of a legitimate site with an authentic EV-SSL certificate.

So by hooking these functions, Zeus has full control over the session and can now inject any arbitrary HTML code into the browser whenever the bad guys want. Naturally they can see the full URL as well.

Please note that Zeus uses the same approach for hooking the Internet Explorer, however, since Internet Explorer uses different libraries for Internet connections, different DLL’s will be hooked.

However we want to make it clear that Zeus is not exploiting any particular vulnerability in Internet Explorer or Mozilla Firefox. It compromised the environment where the browsers operate and thus is able to get full control over the session.

The interesting thing we observed is that the majority of the new Zeus variants don’t inject HTML code into public websites, but rather only do this once a user has been successfully logged in to a specific site. They do this for various reasons and we will cover these in more detail in our next in-depth report. However, by doing this it means that you can’t see Zeus in action without a valid login, making detection extremely harder.

The following screenshot shows the new Zeus variant in action for a financial institution[2]:

<<screenshot available in the in-depth report>>

Windows Vista and Windows 7

One of the most disturbing features of this new Zeus variant is the fact that is capable of running not only on Windows XP, but also on Windows Vista and Windows 7 (we only checked 32 bit so far).

The big question was how they can do this despite of the hardened features of both operating systems.

Well first of all, when you execute the Zeus Trojan the Windows UAC does not kick in, meaning that the Zeus Trojan installer does not run with administrator privileges.

Although this in itself is a good thing as it means the Zeus Trojan cannot do any system-wide changes, the bad news is that Zeus still manages to infect the currently logged on user. The upside of being able to infect the machine without UAC outweighs the downside of only infecting the currently logged on user since that’s who they are targeting anyway.

The Zeus v2 Trojan takes this into account and will use random names for all events and semaphores … so that it can happily run multiple instances for multiple users on the same computer.

After we executed the Installer, the following registry entry is added to make sure that the Trojan runs when the computer is rebooted. Please note that this entry is in HKCU which means that this only applies to the current user and not for any other users of the computer.

This is different to older versions of the Zeus Trojan as they would install themselves in the Userinit value of the Winlogon key globally (HKLM – HKEY LOCAL MACHINE).

Another point to note is that the filename is random and will be different for every installation.

Thus it becomes apparent that to overcome the hardened features of Windows Vista and Windows 7, Zeus v2 was forced to use a different approach to compromise the current user as it does not have the permission to change global settings on these operating systems.

What is very, very disturbing and worrying is that the Zeus v2 Trojan can pretty much do everything it does with or without administrator rights. You would assume that all of the hard work that Microsoft has put in to protect you would pay off. You would assume that using a user without administrator right is more secure, right? Well, it doesn’t really appear so.

Windows XP – without administrator rights

In Windows Vista and Windows 7, all users run without administrator rights and the UAC kicks in if some administrative privileges are needed. Such a concept doesn’t exist in Windows XP and therefore you are much more locked down if you run as non-administrator.

If we run the Zeus v2 Trojan under Windows XP SP3 without admin rights, we noticed the similar Windows Security Alert when the Zeus v2 Trojan tries to install the SOCKS proxy, however this time there is no option to allow it (as we don’t have admin rights).

There is no option to allow this and therefore the SOCKS proxy functionality will not be available. Funnily enough this means that Windows XP users without admin rights are better protected as Vista or Windows 7 users who run without admin rights by default!

However as noted above, this doesn’t stop the Zeus v2 Trojan itself from working and it just means that the SOCKS proxy feature is not working. Everything else works fine… So after the above dialog box is closed and the user logs in to a website with HTML injection configuration, “usual” behaviour will kick in.

The following screenshots depict a user without administrator rights on a Windows XP SP3 machine. (the red circles highlight the injected HTML). Please also note that the SSL certificate and everything else is correct)

<<SCREENSHOTS AVAILABLE IN THE IN-DEPTH REPORT>>

Code Injection

Traditional versions of Zeus would inject themselves into the winlogon.exe process and spread from there (e.g. to svchost.exe, lsass.exe, services.exe). However, since the new versions of Zeus don’t run with administrator privileges, they cannot inject any code running as a different user (especially the SYSTEM account). Therefore the new Zeus v2 Trojan injects itself into the following processes ctfmon.exe, explorer.exe, rdpclip.exe, taskeng.exe, taskhost.exe and wscntfy.exe instead.

The reason for this change in approach is pretty simple – winlogon.exe is a SYSTEM process and without administrator privileges, the Trojan would not be allowed to inject anything, so the above alternative targets were chosen as they all run as the currently logged in user.

Since all these processes run as the currently logged on user and the Windows security settings allow the Zeus Trojan to modify the memory allocated by any of these applications, Zeus is now able to hook key windows functions (see earlier chapter about hooking) and inject its own code into the process, bypassing the hardening features of Windows Vista and Windows 7.

An important fact to know is that the process that will be started through the registry key above will terminate itself after it injects itself into the other processes, meaning you won’t be able to find a process running under the name of olews.exe.

Microsoft / Firefox Phishing Filter

One interesting addition is that the Zeus v2 Trojan will disable the Phishing Filter that is enabled by default in Internet Explorer 7 and later versions. The Zeus v2 Trojan does this simply by altering the registry setting HKCU\Software\Microsoft\Internet Explorer\PhishingFilter to set the Enable and EnableV8 names to 0.

Firefox users are slightly better off as the Zeus v2 Trojan hasn’t yet figured out how to disable the Safebrowsing features of Firefox.

Interesting observations

<< available in the in-depth report >>

TrustDefender’s Approach to Zeus v2

TrustDefender’s Forensics Engine will immediately pick up all of the new Zeus v2 infections by default, and will protect you against the threat from a frontend (user-view) AND a backend point of view. TrustDefender enables financial institutions to deal with Zeus v2 on the server side through its real-time, risk-based Enterprise Server, and the TrustDefender Agent will successfully protect the end-user at home. No longer does a financial institution have to rely on the end user to do something, but rather they can mitigate and deal with the threat from their own backend systems and feed this information into existing systems including risk-engines, adaptive authentication suites and transaction monitoring tools etc.

How to detect that a system is compromised

Since the new variant of Zeus doesn’t use complex rootkit techniques, detection is relatively easy. Simply start the registry editor (regedit.exe) and check for an entry in the Run section of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

The things to look out for are:

• Name looks like a GUID (such as {26014332-876A-668A-546A-2A9930E39482})
• Value is a filename in %USERDIR%\Application Data\<RANDOM DIR>\<RANDOM FILE>    (such as “C:\Documents and Settings\support\Application Data\Kyniin\yqypy.exe”)

How to remove Zeus v2

Removal of the Zeus v2 Trojan is also much easier since no complex rootkit techniques are used.

Simply locate the file that is being run from the above registry entry and delete the registry entry and the file. After a restart, your computer is clean.

[2] It wasn’t straightforward to provide a screenshot as the configuration of the Zeus Trojan would only inject HTML into the browser after a successful login.

Gozi is a well known Trojan that has been around for a number of years now. However, we have recently encountered a new wave of Gozi variants and feel that this is a great opportunity to look at this sophisticated Trojan and how it has evolved over the last few years.

Gozi has always been associated with a Russian heritage and was once part of the notorious, russion cyber crime operations. The last significant wave of Gozi Trojans was back in 2007/2008 and at that time Gozi’s feature list was more than impressive. According to SecureWorks who did an in-depth analysis of the Trojan at that time, Gozi’s features included:

• Advanced Winsock2 functionality employed to steal SSL data
• State-of-the-art, modularized Trojan code
• Ability to spread through IE browser exploits
• Customized server/database code to collect sensitive data
• Customer interface for on-line purchases of stolen data
• Accounts compromised by stealing data primarily from infected home PCs
• Victims included accounts of top financial, retail, health care, and government services
• Data’s black market value of at least US$2 million
• Ability to remain undetected for weeks or months by many AV vendors

As you can see, one of the most impressive features was the way Gozi was able to hide on a system and stay undetected for a long period of time, ultimately allowing it to carry out its nasty work undisturbed.

In this in-depth report, we will look at the new variant of Gozi, and how it has improved Gozi’s renowned stealth behaviour even further. We also look at how Gozi will does its dirty work and present details of the inner workings of this malware. As always, the report will also contain instructions relating to the detection and removal of this nasty threat.

Installation

We analysed a number of Gozi samples and all of them were delivered as drive-by-infections, either via malicious PDF documents or via exploit kits (such as Justexploit).

Malicious PDF document

We witnessed a number of Gozi Trojans distributed via malicious PDF versions. We specifically looked at a PDF with MD5 b72163b1d5fbc0f2e88e984bf0ac601e, which exploits a buffer overflow in Adobe Acrobat Reader (CVE-2007-5659). The only goal of the malicious PDF is to download the “real” Gozi sample called update.exe with MD5 cd4d37ea17007cbdfa0d9cc96b5fc1dc.

This sample has successfully evaded detection by all Antivirus Engines with a VirusTotal detection of 0% on Jan 25, 2010! This only attests to the sheer ability of Gozi to conceal itself.

• 0% (0/40) detection on Jan 25, 2010 – http://www.virustotal.com/de/analisis/02e2428657cc20c9206b92474157e59e64d348b47d69dd320cb5e909e9150b99-1264446753
• 65% (26/40) detection on Feb 3, 2010 – http://www.virustotal.com/analisis/02e2428657cc20c9206b92474157e59e64d348b47d69dd320cb5e909e9150b99-1265237343

This Trojan seems to achieve one of the worst detection rates we have encountered, which is quite extraordinary considering that Gozi itself has been around for such a long period of time. Even within 10 days the detection rate of Gozi was still only 65% which is interesting as all participating Antivirus Engines receive the samples that they won’t detect.

Justexploit kit

The samples we analysed from drive-by-infection kits had a slightly better VirusTotal antivirus rating with 27% (11/41) detection on Jan 28, 2010 (http://www.virustotal.com/de/analisis/17fcef4a88cfc950a62d2c79e1670cc9b9d742cd4ea3310e0df337fef7451ed8-1264637346)

Please note that Justexploit, a common feature of today’s exploit kits, uses geographic distribution. This means the bad guys will only infect people they want to infect (targeted regions). In this particular case we could confirm that the installation process was fine in Australia, UK, Germany and the US.

Execution

After the sample is executed, Gozi installs itself in the system in a very sophisticated way that fools most traditional security solutions and additionally deletes the installer file from the hard drive.

The Gozi Trojan consists of a DLL that is injected into every single process. Gozi employs a pretty unknown procedure of registering the DLL within the AppCertDlls subkey of HKLM\System\CurrentControlSet\Control\SessionManager key of the registry. By doing this, Gozi is notified and automatically loaded into every single process that is started on the computer from the windows kernel (kernel32.dll).

This method is a very innovative approach and by utilising such a highly unknown feature, many security solutions that check automatically started programs (e.g. through the Run registry) will miss this infection.

The associated filenames seem to be semi-random and in our case we saw krnlbkup.dll and lnksinfo.dll. Both files reside in the system32 folder of the windows directory (c:\windows\system32).

File System Stealth

See in-depth report

Registry changes

See indepth report

Process hooks

See indepth report

The C&C communication

See indepth report

Gozi C&C server

See indepth report

Gozi configuration file

See indepth report

Functionality of Gozi

Keylogging / Network sniffing

One of the main functionalities of Gozi is to steal any data that is transmitted over the internet. Gozi will not employ keylogging techniques to do so, but rather look at any POST request that are sent to the internet from the computer and will send the interesting content to the Gozi C&C server.

As Gozi is running as part of the Internet Explorer process, it has full control of the data BEFORE it is encrypted and therefore Gozi can get access even to the SSL encrypted data. Naturally this included websites with EV-SSL certificates as well.

The following example shows the Gozi traffic for a login attempt with Bank of America. Firstly we see the use of EV-SSL in the browser, as depicted below:



After the Online ID is entered by a user and the “Sign In” button is clicked, the following internet reqest can be seen sending to the Gozi C&C server:

Please note that we used a fake online ID 123123123 and chose NV as the State, as captured by Gozi in the above snapshot.

The next step of Bank of America’s two-step login procedure will then allow Gozi to intercept the password, as can be seen in the following request capture:

As you can see, we used mypassword as a password and this too was captured by Gozi.

SOCKS Proxy

Gozi has the ability to install a SOCKS proxy on the machine. On both installations, this did not happen and no backdoor was installed. (The HTTP C&C parameter socks was equal 0). If a SOCKS proxy is installed, the C&C server is notified by the listening port of the SOCKS proxy in the socks HTTP parameter.

A SOCKS proxy enables an attacker to relay any internet traffic through a victim’s machine and therefore evade geographic or public IP risk mitigation strategies.

Real-time functionality / HTML injection

Gozi has learned from the past and has adapted to some authentication improvements by financial institutions in the past. It does not only have the ability to statically send keystrokes or POST credentials to the C&C server; it can also alter the HTML of the current page.

Gozi accomplishes this by using the configuration file and either statically inject the HTML from the configuration file or dynamically downloading HTML chunks to accommodate whatever it needs to do. Gozi will firstly identify the financial institution using its URL and will then make a request to its C&C server in real-time for additional instructions.

As the analysed Gozi sample has only Swiss banks in the configuration, let’s look at a login attempt to Credit Suisse:

When the user is clicking on Login, the following internet traffic can be seen:

The Gozi Trojan will make a request to the C&C server with the following format:

• GET /1.pl?<BANKID>&<id>, where
  • <BANKID> represents different targets based on the configuration file. Four different targets have been confirmed in this analysis, however this can easily change as part of the configuration file
• depending on the <id> parameter, different HTML chunks will be delivered.

After the 1.pl request is completed, Gozi will send “as normal” the login credentials to the C&C server

Upon first analysis, Gozi will do this for all financial institutions that have some kind of challenge/response or use some additional authentication mechanism (such as banks with the RSA token)

For all C&C communications where the URL matched a financial institution from the configuration file, the response from the Gozi C&C is always “/home/system/data/base_cur/fastlogs/ok!”

It even includes compromised account details

See indepth report

History and Improvements of Gozi over time

Based on the previous research of SecureWorks relating to the older samples of Gozi, (http://www.secureworks.com/research/threats/gozi/), we can see great improvements of this threat over time.

In 2007 and 2008, all Gozi samples we found were executables that were running as a proper process on the system (such as x_ymvb.exe or xrt_ohcq.exe in the %UserProfile% directory). They were loaded for every Windows startup through inclusion into the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.

This had some obvious disadvantages, namely that the Gozi process was clearly visible to traditional security scanners. As such, Gozi had to work very hard to get access to the internet traffic produced by the web browser. This was summarised in the below SecureWorks analysis:

The code reveals that calls to functions in ws2_32.dll are used to establish itself as an LSP (layered service provider) using the Winsock2 SPI (Service Provider Interface). It “goes in between” Internet Explorer and the socket used to send the data. This is consistent with reading/enumeration of registry keys having to do with network interfaces, zones, and namespace providers. This is the mechanism used to bypass SSL/TLS and intercept the network data on the fly, before it is encrypted.

This new version of Gozi does not run as its own process, but rather as a DLL that is injected into the web browser process. Furthermore it is uses a highly unknown way of making sure it gets injected into every process as a means of ensuring increased effectiveness.

This also removed the need for a LSP interface at all as LSP is known to be very unstable.

These improvements were clearly made to allow Gozi to stay hidden in stealth like mode on the system and to ensure Gozi is not easily detected by traditional security scanners.

How to detect Gozi

Manually

The best way to detect the presence of the Gozi Trojan is to look in the registry for the presence of the Gozi values. They are all consistently present here:

• Gozi DLL
  • HKLM\System\CurrentControlSet\Control\SessionManager\AppCertDlls
    • (where you’ll find a reference to the Gozi DLL)
• Gozi configuration
  • HKCU\Software\AppDataLow\{GUID}
    • (where {GUID} is a globally unique identifier)

TrustDefender

Of course, TrustDefender will detect Gozi straight out of the box as it will see the Gozi DLL being injected into the Web browser process.

How to remove Gozi

As Gozi consists only of the one DLL, one can remove Gozi from the system by removing all related registry entries presented in this report. However, since the Gozi DLL is well hidden, it is not really straightforward to delete the Gozi DLL entries.

First, you have to identify the name of the Gozi DLL (e.g. lnksinfo.dll in our case) and then use a utility such as MoveFile from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx) or directly poking the entry with the PendingFileRenameOperations registry key.

After a reboot, the file would have disappeared (you can check with the auto-complete tab trick) and you can verify that the Gozi registry entries are all gone, making your system safe again.

Further Information

Further information can be obtained from the team at TrustDefender Labs by emailing us at labs@trustdefender.com.

We have been talking about it for some time and we already witnessed a few Trojans already using this technique. However, URLZone (or Bebloh) is now the first Trojan to come up with a professional setup to steal money from your account. Not only does it completely control your internet banking session, but it also automatically performs wire transfers to mule money accounts. If this isn’t bad enough, URLZone will then manipulate your online account statement to offset the fraudulent transaction (it can also remove the transaction or change the amount). The first time a victim would become aware of the fraudulent transaction(s) may be weeks or even months later – when they receive their paper statement in the mail! (that is if they get a paper statement at all… Lots of banks are trying to get rid of it altogether!)

Although real-time and session-based Trojans have been around for quite a while, they weren’t used in such a sophisticated way. An example was Yaludle (a Silentbanker variant), which injected HTML into the website that was dynamically retrieved from the web in real-time!

At the moment, only German banks are part of the URLZone configuration, but the bad guys can change the configuration at any second. Attacks against German online banks have always been very sophisticated simply because the German banks have employed one-time-password mechanisms (so called transaction numbers or TAN’s) for many years. Now the bad guys have found their way around it these mechanisms using such sophisticated techniques.

First generation attacks employing such Trojans saw the bad guys inject HTML code into the online banking login page to gather TAN’s in classical phishing attempts.

Then we saw more sophisticated attacks using variants of the well-known Bzub Trojan, which had the ability to perform wire transfers and remove them from the account statement.

Now we have URLZone doing silent wire transfers in the background and changing the online account statement.

Only as a result of the big amounts that these Trojans are fraudulently stealing are we beginning to hear about URLZone in the news, such as the recent $447,000 USD heist at Ferma in California, USA. While the manager had issued legitimate payments, the program initiated a further 27 transactions to various bank accounts, siphoning off a total of $447,000 USD in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s President (http://www.technologyreview.com/computing/23488/?a=f).

Another high-profile case was the gigantic Zeus botnet of recent, that also resulted in large amounts being stolen, such as the $415,000 USD heist at Bullitt County, Kentucky (http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html).

And let’s not forget Signs Designs Inc who also recently lost close to $100,000 USD in similar attacks (http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html).

In light of the above, I want to point out a few notes:

• Firstly – The problem has been around for a long time and it seems that people are only doing something about such threats when they are large enough to be mentioned in the press. That’s exactly what the intelligent botnets such as Mebroot/torpig are exploiting. By staying under the radar and not being too greedy they can do their dirty work and don’t have to worry about consequences. Their motto seems to be: Just keep the security industry busy with non-threats like conficker and they won’t hassle you.
• Secondly – This type of attack cannot be solved with 2-factor authentication.
• Thirdly – While there is much hype around URLZone at the moment around how amazing and disturbing it is that the bad guys can do such things, we will always have this problem if the bank’s security and the user’s security systems are not connected.
• Fourthly – While the Trojan is very, very sophisticated and advanced on the delivery side, they have made it incredibly easy for the good guys to catch them. Don’t expect this to happen in the future with new variants. We are still at the beginning…

One further thing to note is that since all real-time, session-based Trojans need to talk to a C&C server during the banking transaction, just one of TrustDefender’s many layers of protections will fully protect you against such attacks. Our “Secure Lockdown” knows all internet requests that belong to the financial institution and will block everything else while you are in a banking transaction. This will always protect you for all Trojans that work on this principle, not just for the likes of URLZone.

In addition, our Forensics Engine will also pick up the URLZone Trojan itself and will alert you of the infection, while also automatically disabling it for the period of the transaction. This will ensure you are always Safe and Secure while transacting online.

Due to popular demand, we have put together an in-depth TrustDefender Labs report about URLZone, which you can request by sending an email to labs@trustdefender.com. The in-depth report features the complete inner workings, together with an analysis of the configuration file and forensics information.

However this means MSE won’t protect you against the sophisticated Trojans that we hear in the press almost daily. We have successfully infected a machine with enabled and up-to-date MSE with a new mutation of the Zeus Trojan that is active in the wild. (for the interested reader, here is a screencapture movie that also shows how TrustDefender protects you from Zeus).

So in our opinion MSE will not make any impact on the malware landscape at all, however it will most certainly take market share from the other Antivirus Vendors and put the pressure on them from a pricing point of view.

The last couple of weeks/months have been quiet for Silentbanker, but now Silentbanker is back in action, very alive and kicking. We now have another detailed look at these new variants, how they now operate and how they have continued to evolve from last year.

The interesting fact is that it hasn’t evolved that much and they haven’t included too many new features. This is partly because the Silentbanker Trojan has already an impressive list of features, including HTTP(S) form sniffing, network tracing, session hijacking and html web injection capabilities.

The Silentbanker Trojan will only affect Internet Explorer and not any other Browsers as it is implemented as a Browser-Helper-Object (BHO).

However compared to the new top dogs who have stepped up the pace and gained extensive publicity such as Zeus, Mebroot/Torpig or Clampi, it seems nowadays the Silentbanker Trojan is a fairly average sophisticated Trojan, as Silentbanker only employs basic rootkit techniques, uses no encryption for upload of the stolen data and has a fairly basic C&C infrastructure. This – however – doesn’t mean that Silentbanker is not up to the task. It just shows how much innovation the bad guys have shown for the other Trojans.

But as the Silentbanker Trojan is completely silent and won’t slow down the computer at all, most users will not find any suspicious behaviour and we assume that it was very effective especially in its first couple of weeks of operation.

In conclusion, it becomes pretty obvious that the Silentbanker Trojan has fallen behind the likes of Mebroot/Torpig, Clampi or Zeus in terms of sophistication. While this may be perceived as good news, the bad news is that this means that the employed techniques still work and on top of that that the creators will for sure enhance the Silentbanker Trojan in the future. Watch this space…

Installation

We analysed the Silentbanker dropper with MD5 of e1e2b3389dd2e020ae2783b8c6c80a08 which had a Virustotal detection of 12/41, 29.27% (http://www.virustotal.com/analisis/112946f35cf76ed853b44aeaf837cc5c9ad15722e46637e3af1f82b4b122f41b-1252598004)

The inner workings haven’t changed too much from the Silentbanker Trojans we analysed around the same time last year in October 2008.
The dropper will install a Brower-Helper-Object (BHO) and register its payload dll into the Internet Explorer. The payload was in our case mscorewr.dll (in c:\windows\system32\ folder) with a Virustotal detection of 9/41, 21.95% (http://www.virustotal.com/analisis/7b062ddb9dbc50cea53b98df892d4ceac003ece8551976085bd7ff57d5a5c664-1252582306).

The Silentbanker Trojan comes with a hard-coded C&C server which in our case was businessrest.cn (190.183.60.82).

Usermode hooks

Once the Silentbanker Trojan is active in memory (basically when the Internet Explorer starts), it will setup export hooks, so that it gets access to all transmitted internet traffic and to much more information.
Now, all sophisticated Trojans will hook core windows functions to compromise the system. Our Silentbanker Trojan hooked (or redirected) among others the following core windows functions: (full details available in the in-depth report)

• HttpOpenRequestA/W
• HttpSendRequestA/W
• InternetConnectW
• InternetReadFile
• InternetReadFileExA/W
• InternetWriteFile
• CommitUrlCacheEntryA/W

As you can see, it basically hooks all Internet related functions to get access to the Internet Traffic (even though it might be encrypted with SSL or EV-SSL!)

These usermode hooks enable the Trojan to do its dirty work.

HTML Web injection

The Silentbanker Trojan has also the capability to inject any arbitrary HTML code into a website and it makes use of this mainly to get additional information from the user. The disturbing fact is however that this is also possible with HTTPS together with EV-SSL certificates. This way, the website looks legitimate from all angles. The URL is correct, the SSL certificate is fine and the green bar is shown. The reason is that the website actually comes from the legitimate site; however the Silentbanker Trojan will locally inject its malicious HTML code to the site. The code depends for each financial institution and is part of the configuration file.

A few examples are:

How to detect the Silentbanker Trojan

As the Silentbanker Trojan is a Browser-Helper-Object (BHO), you’ll see it appearing in the “Manage Add-ons” option of the Internet Explorer (From the Menu, choose “Tools” and then “Manage Add-ons”).
In our case the Trojan was called “mscorewr” and pretended to be a “Macrovision” component.

How TrustDefender protects you

As you would expect, TrustDefender protects you against Silentbanker from the very first second. TrustDefender employs a defence-in-depth strategy, and we are happy to say that every single component alone will protect you against Silentbanker.

• Malicious BHO
  TrustDefender will automatically protect you from malicious Browser-Helper-Objects and makes sure that those components cannot penetrate the current session
• Usermode Hooks
  As described before, this is how Silentbanker will get access to all its information. TrustDefender’s Forensics Analysis will pick up these hooks and disables these hooks for the current session
• Secure Lockdown
  As Silentbanker works in realtime and will send the stolen credentials to its C&C server at the time of login, TrustDefender will automatically block this request as the Secure Lockdown will only allow internet requests that are associated with the current webservice (e.g. online bank).

Further Information

Further information can be obtained from the team at TrustDefender Labs. Just email us at labs@trustdefender.com.

This is an in-depth analysis of a Trojan called Clampi or otherwise known as Ilomo or Clomp. Clampi got quite a bit of press coverage lately. As always, most press reports are not really technically correct and we look at Clampi here from a technical point of view.

The Clampi malware is one of the hardest malware to analyse. Even in the scope of the high-end of sophistication with well-known Trojans such as Mebroot, Silentbanker, Zeus, … Clampi is by far the hardest to analyse. Reasons for this are the multiple VMProtect protection, extensive use of encryption and unique design approaches such as the subversion of the registry to store the malicious files. No payload will ever be written to the harddrive. Clampi will download the encrypted files and store them in an encrypted format on the harddrive.

The way Clampi is setup; it is a very robust Trojan, both in terms of resilience and resistance. It can talk to numerous C&C servers and any payload can be deployed, so Clampi can be used for pretty much every malicious purpose.

Even though Clampi is incredibly sophisticated, there is still room for improvements and we believe there will be soon new variants of Clampi available that are much, much harder to detect as they “fix” the existing limitations.

However Clampi is not a new trojan. It is known since 2007 and the security industry didn’t really grasp the full scale of its badness due to the fact that nobody really knew what it is doing exactly for the reasons mentioned above. We hope we can shed a bit of light into the operation of Clampi and help strengthen the “good” side.

Please note that this public blog doesn’t contain all the technical information and we have an in-depth report of Clampi available for interested parties. Just send an email to labs@trustdefender.com.

Payload

After the installer executes, there will be a newly created file in %UserProfile%\Application Data\, which is either of the following

• svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe

The filenames look genuine and are pretty much all names from legitimate windows components; however these files are now instrumental for the Clampi infection. Note only the filename changes, the content and the MD5 of the file is always the same (61316320065e85ff4a6a594d7fedf141 in our case). Antivirus detection was fairly average as well with 18/41 AV engines detecting it (http://www.virustotal.com/analisis/21bd2536687790c8318ac5936d4cad37decf0fee808e4f4ca8c619485cbf8a16-1249326956). As with the installer, some big names didn’t detect it (such as AVG, F-Secure, and Kaspersky)

The payload is added to HKEY_CURRENT_USER \Software \Microsoft\Windows\CurrentVersion\Run so that it runs with every start. However it is noted that it will only start for the current user. Clampi will not add this registry to HKLM!

Automated analysis of the payload

Security researchers rely more and more on automated analysis of malware samples; however this automated analysis is still pretty limited as they don’t show anything in this particular case. Virustotal didn’t say anything and Anubis only noted that sound.exe started the Internet Explorer. While this is not suspicious at all, it already hints to one evasion technique of Clampi which we will analyse in more detail later.

• http://www.threatexpert.com/report.aspx?md5=61316320065e85ff4a6a594d7fedf141
• http://anubis.iseclab.org/?action=result&task_id=1e8b7c393794d8b74e9e0e1a02655f8f6&format=html

Execution

First of all, Clampi uses a number of evasion techniques that are quite extraordinary and special. Clampi breaks its functionality up into various parts and is using sophisticated techniques to perform its job and to stay undetected.

When the payload starts, it will automatically start an instance of the Internet Explorer as well.

 While this doesn’t seem too suspicious, a closer look reveals a number of very interesting facts:

• First of all, the iexplore.exe with PID 216 runs in suspended mode, which means that it is not accessible at all.
• Secondly, the iexplore.exe with PID 216 is the “real” and genuine iexplore.exe process, but it has some weird program arguments

This Internet Explorer process is responsible for all outgoing internet communication to the Clampi C&C server. This was clearly also done to evade Personal Firewalls as they would see an internet request from the legitimate Internet Explorer which is obviously allowed.

This also shows a limitation of the Clampi C&C server. Once you stop or kill the Internet Explorer Process, Clampi cannot talk to its C&C anymore and is basically defeated.

Download of 4 (or more) modules

After the original handshake, Clampi then initiates internet requests to the newly C&C servers and will download additional 4-6 payloads (depending on the C&C configuration) . However Clampi will never write these payloads to the harddrive!!! It will write them in encrypted form into the Registry at:

• HKCU\Software\Microsoft\Internet Explorer\Settings\M00
• HKCU\Software\Microsoft\Internet Explorer\ Settings\M01
• …

These payloads are the “real” nasty stuff and the bad news is that they are all encrypted over the wire and also in the registry. However in memory they have to be decrypted, so the encryption is not really the problem… They are all packed with VMProtect which makes analysis almost impossible! (see next chapter)

There is actually another module, which gets encrypted only in memory. Now these modules are all VMProtect protected – except M04 which is an exact copy of psexec.exe from sysinternals. We will later come to this in a bit more detail.

Registry layout

As mentioned before, after the initial infection, Clampi will never write anything to the disk anymore. This was clearly done to evade detection from Antivirus Engines that hook harddrive access. Clampi will write all its malicious files directly into the registry in an encrypted format

more detaila are available in the in-depth report.

Usermode Hooks

In the same way other sophisticated malware is “hooking” key windows function and redirecting them to their memory region, Clampi will hook

• HttpSendRequestA
• HttpSendRequestW
• InternetQueryDataAvailable
• InternetReadFile
• InternetReadFileExA

And with these hook, Clampi has access to all internet communication even if it is SSL encrypted. However these hooks will only installed for the Internet Explorer and NOT for Chrome of Firefox.

Location and availability of C&C Servers

available in the in-depth report.

How TrustDefender will protect its customers

TrustDefender will automatically protect all its customers against Clampi in several ways.

Firstly, for our enterprise customers, communication to the C&C servers is cut-off automatically due to our Secure Lockdown feature as part of the client policies.

Secondly, TrustDefender will identify the unknown process that starts the Internet Explorer and will prevent it from doing any harm.

Thirdly, TrustDefender will pickup the Windows Hooks and automatically resolves them so that the Internet Session is encapsulated from Clampi.

And fourthly, the Kernel Forensics Engine makes sure that the transaction is safe.

The following screenshot shows the detection of Clampi. Please note that in the OEM edition, this screen won’t appear and the information is handled by the Enterprise Server.

How to detect that a system is compromised

The detection is pretty easy if you have access to the machine. Simply check for the existence the Clampi Registry keys which are described in the Registry chapter before.  Check for existence HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Setting\GatesList and if you find this, you are infected.

Furthermore, check for a process with one of the following names (svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe) and check whether they have launched the Internet Explorer with procexp from sysinternals.

HOWEVER, don’t log in to infected workstations using domain administrator credentials as this is how it spreads (using psexec).

How to remove Clampi

Clampi can be fairly easily removed from the system without too much problem. However unlike Mebroot/Torpig, it will not store the stolen credentials on the local machine, so it’s not possible to detect exactly what has been stolen.

To remove Clampi, do the following:

• Kill the sound.exe process (or whatever the filename is) that launches the Internet Explorer.
  • This alone will already kill the C&C communication
  • Remove the file on your harddrive (usually in %UserProfile%\Application Data\)
  • Start the registry editor (regedit) and delete the following keys (make sure you do a backup of the registry before doing it)
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\GID
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\PID
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\GatesList
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\KeyM
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\KeyE
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\M00
    • …
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\M<XX>

    and

    • HKEY_CURRENT_USER \Software \Microsoft\Windows\CurrentVersion\Run\<NAME> (in our case Sound – just look for the one with the right value pointing to the executable in %UserProfile%\Application Data\

Restart the computer and Clampi should be removed.

Further Information

Further information can be obtained from TrustDefender at labs@trustdefender.com as well as the in-depth report of Clampi.

If you are interested, please drop us an email to labs@trustdefender.com.

Basically the new version of Mebroot performs the same tasks and does the same badness as the previous versions that we have covered quite substantially on this blog before (see e.g. here and here).

However the big difference is that it is hiding in the system much much better as before to make sure

1. it can infect your system without you knowing
2. stay there as long as possible

To reiterate: Everything that was written how to detect mebroot is invalid and doesn’t apply anymore… No rg4sfay file in Windows\temp anymore, no reference to  \!win$… No detection with GMER’s special mbr.exe program and GMER itself only lists a couple of detached threads… Nothing really suspicious…

This new version also has the most exhaustive list of banking and broking websites we have seen – with virtually all major financial institutions in Australia, UK, USA, Spain, Italy, Germany and more. But also more and more non-bank websites are part of this list, like partycashier.com (the online payment from a popular poker site) and government sites like pay.gov (electronic payments to the US Govt). To find out whether your financial institution is affected, please do get in touch with us. (send an email to info@trustdefender.com)

Technical Details:

From a technical point of view, lots has changed in this version, however the core is still the same and Mebroot will inject itsself into services.exe which then holds also the configuration file and is in control of the updating process to the C&C server.

However everything is now encrypted. No plaintext files anymore with the captured details, no more plaintext internet requests. Everything is encrypted and most importantly all communication from the C&C server is encrypted as well. This effectively makes it impossible to sinkhole a mebroot C&C server. The mebroot trojan would immediately see that the connection is not from a genuine mebroot C&C server… Pretty clever…

In our case, two files were created in the c:\WINDOWS\TEMP folder, namely $$yt7.$$ and $$$dq3e. Both files are not visible in a directory listing and they hold the encrypted version of the stolen data.

The code injection into the browser processes is done as before through IAT hooks that TrustDefender’s Forensics Engine will pick up and the ‘Safe&Secure Mode’ will automatically protect the user by isolating the webbrowser’s process.

So again, all TrustDefender users and all financial institutions and enterprises who are employing the TrustDefender Enterprise Server are fully protected against this attack.

The research was done by Researchers at the Security Group, Department of Computer Science at University of California, Santa Barbara released a very interesting paper “Your botnet is my Botnet: Analysis of a Botnet Takeover”. (see http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html)

In this paper the security researchers “infiltrated” the Torpig C&C control network for a period of 10 days and their results are nothing less but astonishing.

In the 10 days, the sinkholed C&C Server collected almost 70GB of data. This data included stolen credentials from 52,540 different infected machines and they sent some 297,962 unique credentials (username/password), credentials of 8,310 bank accounts at 410 different financial institutions. Furthermore the data included more than 11 million HTTP(S) Form Data, 1,258,862 email accounts, 1,235,122 windows password, …

Key quotes by the original text are:

 The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).

The most common cards include Visa (1,056), Master-
Card (447), American Express (81), Maestro (36), and Discover
(24).

While 86% of the victims contributed only a single card number,
others offered a few more. Of particular interest is the case of a
single victim from whom 30 credit card numbers were extracted.
Upon manual examination, we discovered that the victim was an
agent for an at-home, distributed call center. It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center’s central database for order processing.

And very interestingly they also looked at the financial implications of this

Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. A report by Symantec [37] indicated (loose) ranges of prices for common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000.

If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M.

Also, a Torpig server was seized in 2008, resulting
in the recovery of 250,000 stolen credit and debit cards and 300,000 online bank account login credentials [31].

For more on the botnet hijack, check out UC Santa Barbara’s Torpig project page.  Also features on Slashdot.

Since then, Mebroot underwent quite a few major advancements, and we looked at Mebroot in very much detail before(http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-%e2%80%93-better-than-ever/) analyzing the techniques it uses and also the flaws of the current protection systems as well as how TrustDefender provides a protection. 

However now since March 26, 2009 we are seeing a completely new variant with major “improvements” or “enhancements” and a clear focus on being undetected. It defeats all detection tools and methods in place today - (e.g. GMER has provided a technical analysis with a detection/removal tool here. However it is useless with this new variant). Your current Antivirus Solutions are almost all ineffective as Christian Donner wrote in his blog how he got infected even though he runs an on-access scanner with full scans from 3 different well known AV vendors. His special Linux boot CD with Kaspersky, Avira Antivir and Bitdefender didn’t detect anything! (http://cdonner.com/mebroot-root-kit-infection.htm)

We were analyzing one of the many drive-by-downloads of this new mebroot variant which has policies for 298 financial institutions, 44 of which are here in Australia and include 1st, 2nd and even the 3rd tier financial institutions as well as pretty much all backend banking service providers.

Technical Details

Infection

As we know, Mebroot is mainly deployed through a drive-by-download when you visite “everyday” websites. We also know that the perpetrators behind Mebroot have lots of compromized FTP accounts available to compromize innocent websites. However being very professional and focused on staying under the radar, they only use as much as they require to achieve their success rate.

The sample we looked at, was delivered via an exploit to the recent Adobe Vulnerability (that was unfixed for almost 4 week!).

As you can see in the screenshot, there is a mysterious 20.tmp process running. This process will infect the Master-Boot-Record and trigger an automatic reboot of the machine after approx 10 minutes in our case.

Infected System

Mebroot will install Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it:

• will steal login and other personal or confidential details from banking websites
• can inject any HTML content into any website (websites can be encrypted with or without EV-SSL.) without detection
• can capture CAPCHA and compromize virtual keyboards
• can use the information in real-time to defeat One-Time-Passwords
• has configuration files for many banking sites so that it knows exactly what to look out for
• is incredibly hard to detect
• works system-wide and therefore any browser is affected. (Yes, you heard right. Firefox and Chrome users are also affected)

So how does it work?

Well, we are still reverse-engineering and analyzing the trojan in detail, however after infecting the Master-Boot-Record, it employs a complicated mechanism to injects itself into the ATAPI Harddrive Driver to then inject core windows components (svchost.exe and services.exe) which then will hook/redirect functions for all processes that are used for internet transmissions. What’s important is that your webbrowser (Internet Explorer, Firefox, Opera, Chrome, …) is infected and they don’t even know it!

E.g. the HttpOpenRequest and HttpSendRequest are used whenever Internet Data is transmitted (regardless whether it is encrypted or not!)

So what does Mebroot/MBR/Torpig do?

As said before, it is after your login credentials and personal information and the ability to manipulate this data either in real-time or use at a later date. It will either simply steal your data directly as it is typed or inject HTML code into the banking website to gather additional information.

1) Steal authentication data (including defeating virtual keyboards)

The stolen data is stored locally in a file (c:\windows\temp\rg4sfay in our case) and will then transfer this file to the malicious hosts.

Here is an example with Firefox and a well-known banking site

Another example with a banking site that is using a virtual keyboard (note that Torpig easily gets the password from the virtual keyboard):

2) Inject HTML Code into the banking website to steal additional data

See below two examples of banking services where additional information is requested. However as these forms appear after the customer logged in and come from an apparent trusted site, the success rates for the perpetrators of this trojan are much higher and more effective than ever before.

and from another well-known banking provider

How does this Trojan work?

As mentioned above, we are still reverse-engineering this Trojan to gather all the details, however as the master-boot-record is infected, this Trojan injects itsself into various kernel drivers (atapi.sys in this case) . However this injection is only done in memory and no malicious components are ever written to the harddrive. This is why detection from Antivirus Engines is so low.

However as Torpig wants to steal data from your web browser process, it will hook key functions of the webbrowser process by patching the Import Address Table (IAT).

How can this Trojan be detected?

Well, as you would have guessed, Antivirus detection is almost zero for this new variant. This applies to the dropper/installer as well as to the payload. In fact I haven’t seen a single Antivirus Engine so far that can detect that Torpig is active.

You can detect this trojan as follows (no guarantee as this may change frequently)

• did your computer restart without warning or bluescreen?
• open the command prompt (cmd.exe) and go to the c:\WINDOWS\TEMP directory. Now execute “notepad rg4sfay” and if infected, you’ll see the stolen content. Plese note that this file is hidden and won’t be shown in the windows explorer.
• download Process Explorer from Sysinternals and click on “services.exe” and check for open file handles (in the listbox below) for
  • any file references to \WINDOWS\TEMP\…
  • file reference to \!win$

However the best way to detect whether you are infected is to download TrustDefender and check the computer manually. As TrustDefender’s Forensics Engine will check the IAT of your browser processes, TrustDefender can easily detect Mebroot/Torpig and also protect you from it.

 The trojan can be removed by using the Windows Recovery Console as described e.g. here: http://www.precisesecurity.com/threats/bootmebroot/

How does TrustDefender protect you from Mebroot?

Naturally, TrustDefender provides an automatic protection against Mebroot for all customers of financial institutions that are part of our GAP Protection and all Financial Institutions part of the Financial Trust Network.

TrustDefender’s Forensics Engine will pick up the “hooked” windows functions in the web browser’s Process and will enable a safe&secure internet transaction by disabling the trojan for the current transaction.

As long as you see the TrustDefender GAP Window and the Safe&Secure Mode is activated, you are safe.

Additional Information / Is your Financial Institution affected?

For more detailed information and to find out whether your financial institution is affected, please feel free to contact us via email at info@trustdefender.com or directly via phone.