Crimeware, Trojan Horse Bot

Date:02.21.2007

Threat Type: Malicious Website / Malicious Code

Websense Security Labs(TM) has received reports of new malicious websites designed to install Trojan Horse bots that allow attackers to compromise end-user banking credentials for more than 50 financial institutions and ecommerce websites.

The websites are hosted in Germany, England, and Estonia, and appear to be using round robin DNS, resolving to five unique IP address that revolve on each lookup. Each site hosts the same exploit code. This code attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

When end-users visit the site, they are directed to one of the five servers. If the end-user machine is vulnerable, a file called "iexplorer.exe" is downloaded and run. The site displays a simple page that says the sever is temporarily busy and suggests that the user shut down any firewall and antivirus software. The "iexplorer.exe" file downloads and installs five additional files from a server in Russia. The filenames are:

IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll

The server in Russia also acts as a bot controller, allowing the attacker to control the machines remotely. Additional files can be uploaded or downloaded and new phishing attacks can be appended. In addition, several attack success statistics are recorded.  The bot controller also has a database query interface that gives the attacker a simple-to-use search/query interface for additional information.

Once the DLLs are installed and loaded and the end-user connects to one of more than 50 financial institutions or ecommerce websites, the code transparently replaces some HTML within the page and posts the end-user's logon credentials to the server in Russia.  At the time of this alert, the statistics showed more than 1000 successful infections per day, with the USA and Australia leading the list.

This does not appear to be related to the Australian Prime Minister malicious code links reported here:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=741

Correction: The aforementioned alert *does* appear to be related. The two attacks used the same lures to get the victim to visit the site (i.e. the PM heart attach). However, there were different sets of URL's that were spammed that had different code. Both sets of URL's used MS06-014, both used the same lure, but they were different payloads that eventually were downloaded and installed.

Click on images for larger views.

Website Message:

Bot Controller Screenshots: