Trojan.Silentbanker Adds Rootkit Functionality
Trojan.Silentbanker has been in the wild since late last year; however, the most recent release of this Trojan has had some interesting features added to it. Namely, the most recent version has added rootkit functionality to make the Trojan even stealthier. If you are unfamiliar with Trojan.Silentbanker, have a look at this blog first.
In particular, the Trojan tries to hide its own files from the system in order to avoid someone noticing the files and to hide its configuration from prying eyes. This is a common technique used by other Trojans to stay invisible on a system. Trojan.Silentbanker stores its executable files and configuration files in the "system32" folder using a file name that consists of a series of numbers followed by the extension .cpx or .cpl. (I'll explain what the numbers mean a little later.)
In order to become invisible the Trojan needs to hook the FindFirstFile / FindNextFile functions of the system so that when the system is about to return a listing of files to the user, the Trojan can sanitize the list first and remove any references to the Trojan's files before the user is presented with the list. To illustrate the addition of rootkit functionality to the Trojan, review the table below, which shows the functions that were hooked by the Trojan in January 2008 and in the most recent version:
Fig 1. APIs hooked by Trojan.Silentbanker
(Note: A "?" in the above table signifies that the information regarding whether or not that API was hooked in a specific version was not available at the time of writing.)
The interesting additions to the list are the FindNextFile APIs. Let's take a look at what these functions do now that they are hooked. First though, here is what the FindNextFileW code should look like on a clean system:
Now, here is the code when the Trojan is running and the function is hooked:
We see that the real FindNextFileW code has been replaced with a jump to address 1610000. The code at that address sets some variables and then jumps to the attacker's version of FindNextFileW, which is stored at 0x0A3DF27 and is shown below in IDA:
Here we see that the malicious FindNextFileW will call the real FindNextFileW first. Then, it will check if the filename returned is a file name that should be hidden; it does this in the FilterFindNextResults function. If it is a filename that should be hidden, then the code will call the real FindNextFileW once more. So, even though the system intended to call the real FindNextFileW function once, the attacker causes it to be called twice and to return the results of the second call only. So, the information about the file to be hidden is never returned by the function.
Let's have a look at the criteria that the FilterFindNextResults function shown above uses to hide files. There is various code involved, but the most important is the function shown below. It calculates a hash of the computer name:
The resulting hash - and 8 digit number - is what is used as the numbers before the the .cpx or .cpl extension that I mentioned earlier. For example, the hash of the test pc was 38477686 and during testing the following files were created: 3847768621.cpx , 38477686212.cpx, and 38477686221.cpx (another number is appended to the hash in order to be able to store more than one .cpx file, in this case the numbers appended were 21, 212, and 221, respectively).
So, the malicious FindNextFileW calculates the hash of the computer name and compares that hash to the file names that are returned from the real FindNextFileW. If there is a match the real FindNextFileW is called a second time, effectively causing the last file found not to be reported.
There are a few things to note about this threat, one is that FindFirstFileA and FindFirstFileW are not hooked, only FindNextFileA and FindNextFileW are hooked. This means that if the Trojan's file is the first in a directory listing, it will not be hidden.
Also the hash of the filename is calculated everytime FindNextFileW is called. As well as not being very efficient coding, this means that if you change the name of your computer then the files will no longer be hidden, because the hash of the new computer name will not match the hash that was used when creating the Trojan files in the first place.
Another interesting fact is that no registry APIs were hooked, so the registry entries created by the Trojan can still be seen. The Trojan creates the following registry key in order to start when the computer is restarted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1:"[hash of computer name].CPX"
As well as adding rootkit functionality to the latest version of the Trojan, the authors have also added an extra layer of encryption to the configuration files. I will discuss this extra layer and how to decrypt it tomorrow.
The latest version of this Trojan is detected by Symantec as Trojan.Silentbanker. The writeup, available here, has been updated with the latest changes to the Trojan.
About Security Response Blog
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:
Recently on Twitter
- Revamped Fake #Android Market for SMS Fraud http://t.co/mlrosRUH #malware10 Feb 2012
- Is Waledac spam dirtying the Russian 2012 elections? http://t.co/6gWaIyq610 Feb 2012
- Trojan.Activehijack found in the wild using a known #Office #vulnerability. http://t.co/7L8Xszwr09 Feb 2012
- Infostealer.Offsupload uploads 20000+ archives of stolen data to file sharing site http://t.co/5BBG51Go #Trojan08 Feb 2012
- #Android.Bmaster - Botmaster's profits exposed http://t.co/P8jOQP37 #malware08 Feb 2012