Banker Infostealer Trojan

Original issue date: May 30, 2007

Banker Infostealer is a Trojan horse program which steals targeted banking information from the infected system.

The Trojan is using some unique technique to make its malicious action get unnoticed by the victim user. When a user logs on to some targeted banks website from the infected system the trojan injects its own HTML snippet into the HTML returned by the bank Web server. This causes the returned page to contain some additional fields with the original one asking for some additional details like PIN, Social Security Number, and date of birth. When the user enters the information and the submit button is clicked, a copy of the information is stored by the trojan on the infected system.

Banker Infostealer also opens a backdoor on the infected system on TCP port 80 to connect to some websites and request for some webpages with malicious purpose.

Upon execution, the trojan

• Creates a mutex so that only one instance of the trojan executes on the system.

• Drops one of the following DLL files on the system folder and registers the dropped dll file as a Browser Helper Object.
  
  
  • torm.dll
  • coman.dll
  • helper.dll
  • torm1.dll
  • coman1.dll
  • helper1.dll
    
    
• Drops the configuration files on the system folder which contains the targeted bank details.
  
  
  • helper.sys
  • helper.xml
    
    
• Creates the registry keys.

HKEY_LOCAL_MACHINE\Software\Helper\"DName" =
[ENCRYPTED STRING1]

HKEY_LOCAL_MACHINE\Software\Helper\"Dom" =
[HEX VALUES]

HKEY_LOCAL_MACHINE\Software\Helper\"GUID" =
[ENCRYPTED STRING2]

• Creates the registry subkeys.

HKEY_LOCAL_MACHINE\Software\Classes\CLISD\
[TROJAN BHO CLSID]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\

Explorer\Browser Helper Objects\[PATH TO TROJAN
BHO DLL]

• Opens a backdoor on TCP port 80 to connect to the remote websites for the following purposes.
  
  
  • notify the attacker of an infection
  • send e-mail
  • upload data to the server
  • send or receive commands
    
    
• Creates the following files to store the stolen information and
  communicate with a remote system.
  
  
  • wab.dat
  • ps.dat
  • cookie.dat
  • boa.dat
  • alog.txt
  • commands.xml
  • tns.dll

Users are advised to implement following countermeasures:

• Keep up-to-date patches and fixes on the operating system
  and application software.
• Keep up-to-date Antivirus and Antispyware signatures.
• Do not visit untrusted websites.
• Remain cautious while visiting your banking websites and providing any information that has not been asked before. In case of suspection contact your financial institution/ Bank.

References

http://www.symantec.com/enterprise/security_response/
writeup.jsp?docid=2007-052710-0541-99&tabid=1

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003