AV Conference in CARO Workshop

Very Large Post!!

Actually it is taking place the 2nd CARO meeting at the Crowne Plaza Hoofddorp in The Netherlans. This year’s topic is about Packers, Decryptors and Obfuscators, and indeed some of the presentations are superb.The AVers are going to shit off the place… The program is published here. Mike Morgenstern & Andreas Marx, from the most fucking AV-Test.org are giving a speach about their Runtime Packer Testing Experiences, it seems to be wrong xD.

In a few minutes PANDA will have 3 different talks about detection and blacklisting of packers, which is both disinteresting and non-controversial xD!!.

Going back to the topic of Malware, we are now talking about Banking Trojans…

Here I will list the rest of the most dangerous of these types of malicious codes:

Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
    %SystemRoot%\appwiz.dll
    %SystemRoot%\ipv6mmo??.dll

I have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
    HKEY_LOCAL_MACHINE\Software\Helper
Others create the following one:
    HKEY_LOCAL_MACHINE\Software\MRSoft

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
    %SystemRoot%\ieschedule.exe
    %SystemRoot%\dsrss.exe
    %SystemRoot%\ieserver.exe
    %SystemRoot%\websvr.exe
    %SystemRoot%\ieredir.exe
    %SystemRoot%\smss.exe
    %SystemRoot%\ib?.dll

Folders:
    %SystemRoot%\drv32dta
    %WindowsRoot%\websvr

Registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\InitRegKey
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:
    %SystemRoot%\IEGrabber.dll
    %SystemRoot%\CertGrabber.dll
    %SystemRoot%\FFGrabber.dll
    %SystemRoot%\IECookieKiller.dll
    %SystemRoot%\IEFaker.dll
    %SystemRoot%\IEMod.dll
    %SystemRoot%\IEScrGrabber.dll
    %SystemRoot%\IETanGrabber.dll
    %SystemRoot%\NetLocker.dll
    %SystemRoot%\ProxyMod.dll
    %SystemRoot%\PSGrabber.dll

BankDiv, Banker.BWB
Creates the following files:
    %SystemRoot%\xvid.dll
    %SystemRoot%\xvid.ini
    %SystemRoot%\divx.ini
    %System%\drivers\ip.sys

Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%\driver new_drv.sys

Spyforms
Creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    “ttool” = %WindowsRoot%\svcs.exe
    HKEY_CURRENT_USER\Software\Microsoft\InetData

BankPatch
It modifies the following system files:
    wininet.dll
    kernel32.dll

And creates the files:
    %SystemRoot%\ldshfr.old
    %SystemRoot%\mentid.dmp
    %SystemRoot%\nwkr.ini
    %SystemRoot%\nwwnt.ini

Usually targets banks from the Netherlands.

Silentbanker
Drops file in %SystemRoot% with random names, for example:
    %SystemRoot%\appmgmt14.dll
    %SystemRoot%\dbgen47.dll
    %SystemRoot%\drmsto34.dll
    %SystemRoot%\faultre66.dll
    %SystemRoot%\kbddiv55.dll
    %SystemRoot%\kbddiv79.dll
    %SystemRoot%\msisi83.dll
    %SystemRoot%\msvcp793.dll
    %SystemRoot%\msvcr25.dll
    %SystemRoot%\nweven2.dll
    %SystemRoot%\pngfil51.dll
    %SystemRoot%\pschdpr89.dll
    %SystemRoot%\versio40.dll
    %SystemRoot%\wifema85.dll
    %SystemRoot%\winstr21.dll
    %SystemRoot%\wzcsv64.dll

Creates a registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”
If you are one of those normal persons or AVers, I recomend you to scan your computer, with ActiveScan 2.0.

If you are VXer (Virus maker or Cracker), you can take a look over Google typing these types of Malware and get more information for ideas, or you can put your ass in a comfotable form in the chair and read the next:

Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Bancos
Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
    %SystemRoot%\winldra.exe
    %WindowsRoot%\netdx.dat
    %WindowsRoot%\dvpd.dll
    %Temp%\fe43e701.htm
It also creates the following registry entries:
    HKEY_CURRENT_USER\Software\SARS
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
    %SystemRoot%\ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%\wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Old value = “%SystemRoot%\userinit.exe”
    Modified = “%SystemRoot%\userinit.exe”, “%SystemRoot%\ntos.exe”
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.dll
    %WindowsRoot%\Temp\$_2341234.TMP
    %WindowsRoot%\Temp\$_2341233.TMP
The “?” is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        “Shell” = “%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe”
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.

Recent variants of Torpig, Xorpig and Mebroot:
The latest trend is that it modifies the computer’s Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:
    %WindowsRoot%\temp\fa56d7ec.$$$
    %WindowsRoot%\temp\bca4e2da.$$$

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: