Playing around with a Banker Trojan
Tuesday, 26. January 2010 22:44
I know what some of you might say….”why would you want do that?” As the man said when asked why did you climb the mountain? “Because it was there”. My answer is, “because I can!”
Summary
The analysis done here is as usual within an isolated virtual machine. The sample was picked up from a poisoned web page.
File name: Downloads_P.com
Identified as Win32 Trojan Bancos (among many other names).
Virus Total Results – 17 of 41 scanners identified as Malware
Now, Bancos is not new (although this variant is) and there is information dating back to 2003 on this trojan.
The main goal of this Malware is to steal banking information such as login names, passwords, personal data, etc…
My goal with this analysis is to try and understand how this particular trojan actually captures the data from the compromised computer.
Analysis
Let’s take a look at what happens when the Malware installs.
When the Downloads_P.com file is run there is one window that pops up a few seconds later:
A simple click on Fechar and the windows disappears. No other visible activity takes place.
System Activity:
There are well over 100 various modifications and additions to the registry. But the main 2 are here:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CBDC705-6B7E-4B0E-89BE-B55FC00D6C42}89BE-B55FC00D6C42}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Machine Works, Inc.: "C:\WINDOWS\system32\aecces.exe"
The first is a malicious BHO (Browser Helper Object) that is installed. There is no file referenced by the BHO which makes me think something may have gone wrong here.
The second entry is a run key that restarts the Malware every time Windows reboots.
Four files are also created:
C:\WINDOWS\system32\aecces.exe
C:\WINDOWS\system32\flashdob.dll
C:\WINDOWS\Mstecf.dat
C:\WINDOWS\Oculs.log
Threat Expert Report
There are absolutely no symptoms of this trojan running on the PC. No redirects, pop-ups, or system slowdown. There is the one process, aecces.exe, that is running in task manager. It takes up only about 8k of memory and is not hogging any CPU cycles. One would never know it was running unless you were looking for it.
Network Activity:
27 62.407379000 192.168.1.7 192.168.1.1 DNS Standard query A newvirtual200x01.rememberit.com.au
29 63.133198000 192.168.1.7 192.168.1.1 DNS Standard query A google.com.br
The first entry is sending out a DNS query to the specified domain in bold.
+++++++++++++++++++++
Now there are many ways that the Bancos Trojan captures the data from an infected system. There is a great writeup here from Kaspersky on the many ways Trojan Bancos works.
A quick summary:
- Modifies hosts file to redirect to phishing sites
- Uses keylogger to capture data entered in to logon forms
- Uses screen capture to gather data
- Sends data back to attackers email or remote server
In the case of our Malware here there was no modification of the hosts file. The means of capturing data here appears to be coming from the flashdob.dll file, which is identified as a password stealing trojan. There were no system re-directs to phishing sites so I assume the password stealer is capturing information from live transactions.
+++++++++++++++++++++
MalwareBytes’ Anti-Malware does a nice job of cleaning this variant up. But often Malware comes with other friends and there may be more, so visiting one of the free help forums with the appropriate logs is a good idea.
Also critical here is that if you have been infected with this you need to contact all of your banks, credit card companies, and any other financial institutions that you make online transactions with. Making sure not to do this from the infected computer. Read here for more information.
Category:Analysis | Comments (1) | Autor: admin
