On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).
In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the Trojan is silently being installed in the background.
The email most likely contains two different components that are crucial for the attack to succeed. The email contains a link to a real eBay auction and an executable. This executable is a dropper that drops two files into a temp folder (see note below); one is the legitimate slide show program that displays photos of the car on offer, and the other file is the Trojan.
A typical attack works as follows: the victim receives an email about a car for sale, and he (or she) opens it and runs the attachment – always a bad idea! He sees the photo slideshow of the car, but silently the Trojan has also been dropped and installed. The victim decides he likes the look of the car and clicks on the link to the real eBay auction.
At this point, the Trojan is running in the background and starts intercepting traffic (for more details see the previous blog). If the victim decides to check the feedback for the seller he will be presented with a fake feedback page by the Trojan instead.
This fake feedback page shows great feedback, leading the victim to believe that the seller is genuine and trustworthy. See the screen shots below:
The victim is also presented with other fake information to persuade the victim to buy the car. Based on this fake information, the victim decides to buy. At this point, the attack is almost complete; all the attacker has to do now is wait for the victim to complete the purchase and for the money to arrive.
The good news is that all of the attackers' control sites mentioned in the previous blog have now been taken offline! However, I am sure that the attackers will regroup and set up new servers. Therefore, the usual advice still stands true, i.e. don’t run executables from people you don’t trust!
The security response team have still not seen this attack in action, as the control servers – which were initially not sending down correct configuration data – have been shut down. The information shown here has been attained via static analysis of the Trojan.
Note: The two temp files are dropped in the "c:\documents and settings\[current user]\local settings\Temp\" folder and are named kvet*.exe. One file is the clean slide show application, and the other is the Trojan.