An Infostealer That is Just Too Visible

There have been many viruses discoveredthat have the direct purpose of stealing online bank account andpassword information. It has been determined that a good majority ofthese have originated in Brazil and in these cases the viruses areknown to be part of the infostealer.bancos family. They run without anyuser interface and attempt to capture all of the user information thatis being sent to a target bank's Web page. In some cases there arevariants that show fake login dialog boxes, almost all of which areJPEG image files stored in the virus. The important thing to rememberhere is that the people serving up these viruses are thieves and haveto hide.

In contrast, a fraud does not need to hide. The fraud interacts withhis or her victim without hiding. Recently we received an .exe filefrom a customer in Brazil. When the .exe is run, it shows a visiblemessage box with the title "Patch 2.25 - Correcao de Falhas." It claimsto be a patch for a particular "fault" and the dialog box also containssome messages in Portuguese, roughly translated into English as "Thisprogram will realize the actualization of your digital certification."If a button labeled "Atualizar" (Actualize) is clicked, a second dialogbox will appear in Portuguese, roughly translated as "In order toactualize, enter the local password of certification of your account."If you enter characters that may look like a password into the fieldand click "OK," a third dialog box will appear after a short time,appearing to connect to a server.

Again in Portuguese, the third dialog box states (translated) "Inorder to confirm the digital certification, input Chave de Seguranca(Security Key), which appears on the cover of your machine into thefield below." The input field accepts six characters. If you enter anycharacters that may appear like a key, the program will wait for sometime and then display an error message and will appear to try again. Ifyou enter the security key four times and see the error message fourtimes, the program will end.

OK then, what actually happened? At the very least, it certainlydoesn't patch anything. While it looks like it is connecting to aserver to confirm the password and key, it does not connect to anyexpected servers except for an SMTP server. SMTP servers are only usedfor sending email and not meant to allow the retrieval of meaningfulinformation from them. During the analysis we can see that the emailaddress of the sender and recipient is identical and in the domain ofterra.com.br.

As I'm sure you have already guessed the password and keys are sent viathe email. Any fabricated password or keys can be sent, which perhapsmakes you feel a bit relieved, but it also collects all of the KEYfiles from your system and sends them, too. The file extension .key isused by various applications, including WinRAR. Even if your bankpassword is not stolen the license keys of some products may be.

It is definitely not safe to run programs from unknown sources. Evenif it appears to be a genuine program, when it starts asking for apassword to an online bank or account of any type (or credit cardinformation as observed in trojan.kardphisher), it is most likelyfraudulent. Even if you input a fake password or key, some otherinformation might be stolen at the same time, all before you know it.