Websense.com / Security Labs / Blogs / A Look at a Bank Worm

Archived Blog

A Look at a Bank Worm

04.23.2008 - 4:45 PM

Malware authors will often have their files display something to the user so that they actually believe the file is legitimate. Many of us have experienced such tricks, including fake errors stating that a specific file could not be found or that the application failed to load properly. Today we will look at one of these seemingly innocent files and find that its doing much more than just showing you an "interesting" video.

Part I - The Initial Executable

The executable was packed with tElock, which is a free compressor/protector made by TMG. After unpacking it, we found that the malware was coded in Visual Basic and hence would allow us to use a decompiler such as VB Decompiler by GPcH Soft. Once opened in the decompiler, you see the following:

Figure 1:

The results reminded us of a sample we had looked at previously which had procedure names in Portuguese and references to MSN Messenger. However, you will notice some large differences as it seems to have encryption and downloading capabilities. If you set a breakpoint on the Crypt function and step through the code you see the following:

Figure 2:

EAX at this point holds "116" which is the ASCII value of 't'. The program decrypts strings as they are needed and concatenates the characters until the original string is formed. In this case, the decrypted string was "taskmgra.com". Once the string is formed, the procedure returns and the string is concatenated with the system32 directory. Then the following call is made: CALL DWORD PTR DS:[EDX+44] ; ScrRun.735AB82C. OllyDbg points out that this is an external call to ScrRun.dll's function at address 735AB82C. Since this is a Microsoft DLL, we can utilize the fact that debugging information exists for this file on Microsoft's Symbol Server and this will help us determine what the above function does. Loading up ScrRun.dll in IDA and going to the above function shows the following:

Figure 3:

Hence the function is checking to see whether the taskmgra.com exists in the system32 directory. This Crypt function is called numerous times and is used to decrypt additional file names and registry keys.

These keys are modified to turn off Digital Signature Checking in Internet Explorer
- "\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures"
- "\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures"

These keys are modified to ignore zone information in files
- "\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation"
- "\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes"

Modification of these keys disables prompts such as the following:

Part II - Behavior and the Additional Downloads

Eventually a call is made to Crypt that ends up decrypting a URL to a video on Metacafe.com, a popular video hosting site like YouTube. This humorous video is then shown in Internet Explorer on the victim's computer to give the user a sense that the download was worth while and not malicious in any sense:

While the victim is enjoying the video, the malware is still at work. As execution progresses, a call is made to MSVBVM60.rtcFileCopy to copy the file to the system32 directory as task.com. As a general note, all functions with an 'rtc' prefix are externally callable and can be imported at compile-time or run-time. Once copied to the system32 directory, a request is made for an additional file called novo.txt, an executable which is then copied to system32 as explora.exe. This file was packed with UPack and was written in Delphi. After unpacking and loading into a decompiler we see the following:

As you can see, this malware targets quite a few popular banks based in Brazil such as Credicard, Bradesco, Santander, and Nossa Caixa. The malware contacts a remote host and then downloads a file called imagens123.exe, which is actually an archive of images that is extracted to the system32\drivers directory. What is actually extracted are set of images that are injected into your browser with some Javascript to steal credentials and authorization codes. Here is an example:

Conclusions

Overall, a pretty interesting piece of malware. Although I touched on it very little, MSN contacts were indeed stolen from Messenger. These addresses were then sent a message with a screenshot of the same Metacafe video with a link that directed them to the malware that was just dissected. Hence, we have a clear understanding of each file - the initial executable is used to harvest addresses and spread the infection and the second executable downloaded is used to steal financial credentials via local content injection.

Security Researcher: Joren McReynolds


 

Bookmark This Post: