PandaLabs has detected an Internet address specially crafted to launch a complex combined attack which can employ a number of different malware specimens. The greatest danger of this attack is that it begins simply when users visit a certain Internet address designed to exploit possible vulnerabilities on computers connecting to the page.
When this Trojan runs, it tries to give itself debug privileges over other programs which would enable it to terminate processes and create remote execution threads. It then copies itself to %temp%sstchst.exe and executes, deleting the initial file. It also tries to download, execute and save on the system two files from other Web addresses, file1.exe and file2.exe, which contain two malicious codes, Trj/Banker/VY and Trj/Dumarin.L. To prevent users from being warned of the danger, the Trojan is also able to close windows normally associated with security warnings. On each infection, Downloader.CYZ connects to a website that would seem to act as a counter for the number of infections.
Trj/Banker/VY copies itself to the system under the name nbthlp.exe, creating a Windows registry entry to ensure it is executed at every startup. However, the danger of this Trojan is that it is designed to intercept information entered by users when connecting to web pages related to numerous financial entities around the world.
It achieves this through two actions:
* It launches a DNS request to resolve a domain, and through this it
obtains addresses of hundreds of spoofed bank web pages in order to
carry out phishing attacks. It then modifies the HOSTS file, creating
hundreds of entries corresponding to the banking institutions that it
wants to control. This means that when the user requests these pages,
they are presented with the spoofed sites for which the Trojan has
managed to obtain addresses.
* On the other hand, the Trojan has a list of character strings in its
code, grouped by banking entity: if the user were to enter any
combination of these character strings, they would be redirected to the
simulated bank website, from which the fraud could be carried out.
The reasoning behind this sophistication of phishing techniques could be to avoid the problem of variable addresses, which could not be overcome simply by modifying the HOSTS file. In this way, if all variable addresses have a common component, they could also be attacked.
Trj/Dumarin.L, however, leaves a series of files on the compromised computer, each with a specific role:
* One of the files, detected as Trj/MiniLD.C, is injected in all system
processes, allowing Dumarin.L to inspect the titles of certain windows
and capture information that is written to a log file.
- * The second file contains the IP address of the computer.
- * The third file saves information copied by the user on the clipboard.
* Finally, the fourth operates as a backdoor, allowing the Trojan to
receive remote commands. In addition, to avoid process-oriented
firewalls, Dumarin.L creates an Internet Explorer child process, from
which it injects itself and listens.
All information gathered is collected in a temporary folder which is then sent to a remote server. At the time of writing, this information is in excess of 20MB and contains highly confidential information that could allow anyone to access online accounts of banks, Skype, MS Passport, and webmail.
According to Luis Corrons, director of PandaLabs: “If one thing stands out about this attack, it is the careful preparation involved. The Banker.VY Trojan monitors numerous bank websites and convincingly spoofs them, demonstrating some extensive research work on behalf of the creator. Dumarin.L, however, can steal information from numerous applications. It would seem clear then that the trend among malware developers to exploit users for financial gain is continuing.”
To prevent any of these Trojans from entering your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these new malicious codes.