Some of the most dangerous types of threats out there today are banking trojans. These malicious trojans are very specialized and focused at stealing banking credentials. They use advanced techniques to fool users, such as injecting HTML code to ask for additional confidential information such as SSN, PINs, coordinate cards, intercept Transaction Account Numbers (TAN) and replace them with bogus ones, and many more dirty tricks. There's no real solution to the problem in place and certainly no banking customer is safe from this threat today.

These are normally developed by real cyber-criminal mafias such as the Russian Business Network (RBN) and go through great lenghts in order to avoid being detected by traditional antivirus techniques. Not only do they go through QA testing prior to being released but they are also packed with advanced techniques and purpose-made packers that make signature detection less efficient. Specialized heuristics is the most interesting area of research to counter these attacks.

In order to familiarize yourselves with this new type of threats it is important to understand how they work on how they install themselves in your system. In this post I'll show you basic characteristics of some banking trojan families. Watch out for some more details in future posts.

Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Bancos
Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
    %SystemRoot%winldra.exe
    %WindowsRoot%netdx.dat
    %WindowsRoot%dvpd.dll
    %Temp%fe43e701.htm
It also creates the following registry entries:
    HKEY_CURRENT_USERSoftwareSARS
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
    %SystemRoot%ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
    Old value = "%SystemRoot%userinit.exe"
    Modified = "%SystemRoot%userinit.exe", "%SystemRoot%ntos.exe"
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
    %CommonFilesRoot%Microsoft SharedWeb Foldersibm0000?.exe
    %CommonFilesRoot%Microsoft SharedWeb Foldersibm0000?.dll
    %WindowsRoot%Temp$_2341234.TMP
    %WindowsRoot%Temp$_2341233.TMP
The "?" is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
        “Shell” = "%CommonFilesRoot%Microsoft SharedWeb Foldersibm0000?.exe"
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.


Recent variants of Torpig, Xorpig and Mebroot:

The latest trend is that it modifies the computer's Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:
    %WindowsRoot%tempfa56d7ec.$$$
    %WindowsRoot%tempbca4e2da.$$$

 

Thanks to Vicen from PandaLabs for the info.