HOME > VIRUS ALERTS


VIRUS ALERTS

SilentBanker Trojan

Original issue date: February 11, 2008

It has been observed that a banking Trojan named SilentBanker is circulating widely. The trojan propagates through web or dropped by some other malware and automatically gets executed on the users system. It is capable of defeating two-factor authentication system implemented by banks/financial institutions.

The trojan can intercept transactions carried out by users and change the user-entered destination bank account details to the attacker's account details without being noticed by the user. It intercepts this traffic before it is encrypted bypassing SSL protection.

It can log keystrokes of users visiting some banking websites, captures screenshots of the visited web pages and sends them to remote servers microcbs DOT com and reservaza DOT com. The trojan redirects infected user's legitimate bank requests to computers controlled by attackers.

Moreover the Trojan can steal cookies, digital certificates and a list of all software installed on the infected system.

Upon execution, the Trojan :

  • Creates the mutex nnfbytsb3y so that only one instance of the trojan executes on the system.
  • Drops randomly named dll file in the %System% folder to hold configuration information and to log information.
  • Creates randomly named .cpl file in the %System% folder which contains a list of all other file names that the trojan uses.
  • Creates the following registry entry so that it runs when an application calls for a sound device:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"midi1" = "[RANDOM CHARACTERS][RANDOM DIGITS].dll"
    Note: This may have the side effect of disable sound device of Computer System.
  • Add itself as a Browser Helper Object (BHO) in Internet Explorer by creating the following registry subkey:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Explorer\Browser Helper Objects\
      {[RANDOM CLSID]}
  • Creates the following registry entries:
    • HKEY_CLASSES_ROOT\CLSID\{[RANDOM CLSID]}\InprocServer32\(Default Value) =
      "[RANDOM CHARACTERS][RANDOM DIGITS].dll"
    • HKEY_CLASSES_ROOT\CLSID\{[RANDOM CLSID]}\TypeLib\ (Default Value) = {[RANDOM CLSID]}
    • HKEY_CLASSES_ROOT\CLSID\{[RANDOM CLSID]}\
      (Default Value) = "[RANDOM CHARACTERS][RANDOM DIGITS]"
  • Hooks to the following APIs in browsers IE and Firefox in order to intercept traffic received to and sent by them:
    Send,Connect,CryptDeriveKey,CryptImportKey,
    CryptGenKey,HttpOpenRequestW,InternetReadFileExA,
    InternetReadFileExW,CommitUrlCacheEntryA,
    InternetReadFile,InternetQueryDataAvailable,
    HttpOpenRequestA,HttpSendRequestA,HttpSendRequestW,
    GetClipboardData,DispatchMessageA,DispatchMessageW,
    ExitProcess
  • Downloads compressed and encrypted configuration files from the remote servers which contain the following information:
    URLs to redirect to attacker sites, URLs to target for stealing account information, URLs to take screen shots from,keywords to search for, domain names to monitor and send to the attacker, location of control servers, location of updated Trojan executable, location to send all stolen data and various other configuration data.
  • Change the infected system’s DNS settings to the following :
    • 85 DOT 255 DOT 116 DOT 133
    • 85 DOT 255 DOT 112 DOT 87

In view of rapid propagation and high damage potential of the malware, users are advised to implement the following countermeasures:

  • Monitor regularly the DNS settings of the machine.
  • Block the outbound DNS requests for IPs mentioned below
    • 85 DOT 255 DOT 119 DOT 218
    • 209 DOT 123 DOT 181 DOT 63
  • Block the outbound HTTP and DNS requests for malicious domains mentioned below
    • iloveie DOT info
    • screensaversfor-fun DOT com
    • webcounterstat DOT info
    • reservaza DOT com
    • mystabcounter DOT info
    • microcbs DOT com
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Do not visit untrusted websites.
  • Remain cautious while visiting your banking websites and providing any information that has not been asked before. In case of suspicion contact your financial institution/ Bank.

 References

http://www.symantec.com/security_response/writeup.jsp?docid
=2007-121718-1009-99&tabid=2
http://www.pcworld.in/india/news/Spyware_&_Security/
Another_New_Trojan_Intercepts_Online_Banking_Information/
3866692/9

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003