The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Rootkit Banker - now also to 64-bit

Fabio Assolini
Kaspersky Lab Expert
Posted May 20, 12:58  GMT
Tags: Internet Banking, x64

Yesterday Kaspersky Lab detected the first rootkit banker created to infect 64-bit systems. It was detected in a drive-by-download attack made by Brazilian cybercriminals.

We found a malicious Java applet inserted in a popular Brazilian website. The attack was made using a malicious applet in such a way as to infect users running old versions of the JRE (Java Runtime Environment) and was prepared to infect users running versions of both 32 and 64 bits systems.

Inside this applet we found some interesting files:

The entire malicious scheme is simple yet interesting. The file add.reg will disable the UAC (User Account Control) and modify the Windows Registry by adding fake CAs (Certification Authorities) in the infected machine:

The file cert_override.txt is a fake digital certificate signed by the fake CA registered in the system. The main purpose of this attack is to redirect the user to a phishing domain. The fake website will then show an icon of an https connection, simulated to be the real page of the bank. This scheme to register a malicious CA in an infected system has been used by Brazilian bad guys since last year.

The file aaa.bat will run and execute the file bcdedit.exe, a legitimate tool developed by Microsoft aimed to edit the boot configuration of Windows Vista and later versions. Using this tool and some parameters like “DISABLE_INTEGRITY_CHECKS”, “TESTSIGNING ON” and “type= kernel start= boot error= normal” the files plusdriver.sys and plusdriver64.sys will be copied to the drivers folder and registered as active drivers during the next reboot. This technique allows them to launch their driver without a legitimate signature, was described recently by my colleague Vyacheslav.

After they are registered, the malicious drivers will execute some commands to change the hosts file by adding a redirection to a phishing domain as well as removing some files belonging to a security plugin used by Brazilian banks:

The malicious files are detected as Rootkit.Win64.Banker.a, Rootkit.Win32.Banker.dy and the malicious applet as Trojan-Dropper.Java.Agent.e.


Oldest first
Threaded view

Josir Gomes

2011 May 20, 21:41


Hi Fabio, I think it is important to give away the name of this "popular brazilian site". Users should have the right to know which sites are

Or, at least, to inform us that the "popular site" has already removed the trojan.

If info is not transparent and complete, users could also think this is FUD news to sell antivirus software....


Fabio Assolini

2011 May 21, 01:40

Re: Transparency

The name of the site doesn't matter. This kind of attack using malicious applets can use a lot of vulnerable and popular websites in Brazil.
We sent a message to the first one and they dropped the malicious applet.

Edited by Fabio Assolini, 2011 May 30, 18:16



2013 Feb 23, 12:20

Re: Re: Transparency

This is funny because I found out about this virus my self no thanks to any software anywhere. And it ruined 5 of my computers. I found it 2 weeks ago. And have been aware of it and trying to get on a computer to tell people about it. It's being spread all over the US not just brazil. It also changes the drivers in your monitors and everything plugged in including your phone which it installs the virus on.
This thing goes DEEP. With it they will steal your credit cards, every account you have ever made, everything.



2013 Feb 23, 12:29

Re: Re: Re: Transparency

This rootkit you are describing is a basic version of what I have found. What I have discovered will blow your mind.

If you would like to comment on this article you must first

Bookmark and Share