Sunday, March 3, 2013

After we have already prepared our environment for Malware Analysis, let's start practicing with a simple Trojan Banker, this malware was uploaded to VirusTotal for the first time in 2011-08-22 19:18:47 UTC, and maybe you think, this is a really old sample, but if you are a begginer in this area this could be a good option for getting started.

First of all, What is a Trojan?
A trojan (or trojan horse) is a type of malware which appears to perform a desirable function or an innocent action but instead facilitates unauthorized access to the user's computer system. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may use drive-by downloads or install via online games or internet-driven applications in order to reach target computers. The term is derived from the Trojan Horse story in Greek mythology because Trojan horses employ a form of "social engineering", presenting themselves as harmless, useful gifts, in order to persuade victims to install them on their computers.

Well, this kind of malware is usually sent in an email in a compressed file (when the e-mail antivirus can not detect it), but also can be hosted in a compromised server and the victim receives a link to access to it, in this case the malware is a "Postcard".
Figure 1: The "Postcard" downloaded from a compromised server.

So, What is the best way to know what does this malware do in my system?
There are a lot of methodologies, but in this case what I am going to do is to monitor the activity of the malware during its execution, with that I'm gonna see all the changes that it makes to my system.
Figure 2: Process Tree of the Trojan Execution

Oh, this is interesting, as you can see in the Figure 2, when we execute the malware sample, in background a new process is created, which process?, A cmd.exe, we don't know what does this cmd.exe do, but also we know that after the cmd.exe execution another process is created (firefox.exe). 

Now let's see what the common user observes in his screen after the malware execution.
Figure 3: What is shown after the malware execution?

The common user only believes that when he executes the "Postcard", a new instance of Firefox is created, and a webpage is loaded showing the postcard that was sent to him via e-mail.
The domain of the webpage that is loaded in Firefox is a real page, with no malicious code inside, so the final user will never know that was infected, because there is no other visible actions made by the trojan.

But during the execution of this sample some registers of its activity were collected, so please observe, while we execute the malware a ".bat" file were created in the Temp Folder of the User that opened the "Postcard", and some instructions were written on it.
Figure 4: The Trojan creates a ".bat" file in the Temp Folder

Now that we know where is located the batch file, let's take a look at the folder and see the instructions written by the trojan.
Figure 5: The malicious batch file (recovered)

As shown in Figure 5, "4094.bat" is a batch file generated by our malware sample, the name of the file is random, so in every execution another file is created with a different name, I have to mention that this file was recovered, why recovered?, because the "Postcard" erases the ".bat" file after executing it in a command line.

Figure 6. Content of the Batch File (Modifies the hosts file and start the default browser with a defined webpage)

After checking the commands that are executed by "cmd.exe" that was started by the Trojan, we can conclude that this is a Trojan Banker, because it modifies the "hosts" file, in order to commit fraud banking, all the people that get infected, when they want to access to their banks (In this case Banks from Chile), they are going to be redirected to a malicious site controlled by the malware creator, in this site the banking credentials can be collected by a phishing webpage.

During the analysis there weren't other changes made by the malware in the infected system.

If you want to see more information and the complete report about this sample, please follow this link:
VirusTotal Complete Report

0 comentarios:

Post a Comment