Malicious programs targeting the confidential data used to access online banking systems have long been the bane of financial organizations worldwide. Analysts are quick to tell of the many millions of dollars stolen, whilst the victims who have had their accounts plundered complain bitterly about being left high and dry without any compensation.
Number of search results for “stolen+money+bank+Trojan” on Google
The appearance, therefore, of yet another piece of malware designed to relieve the unwary of their money is anything but hot news. It does, however, offer an insight into how the cybercriminals get their hands on your cash.
Last spring it became clear that a mass compromise of websites had taken place. The culprit on this occasion was the Gumblar script downloader, which managed to place the vulnerabilities of online security firmly in the spotlight once again. Since then, the distribution system used by Gumblar has become the way-to-go for spreading numerous other malicious programs.
The Gumblar attack cycle. Source: www.digitalthreat.net
Gumblar still remains at the top of our monthly rating and our analysts are still on its case, tracking all the compromised sites. A number of techniques for infecting websites have turned up whilst in the process of monitoring Gumblar, the main one being the use of stolen passwords to access FTP resources. The fact that the same sites have been repeatedly compromised, even after being given the all-clear by their administrators, shows that the cybercriminals are constantly active and that they know rich-pickings when they see it.
During the latest visit to a Gumblar-infected site the test computer was infected (via yet another vulnerability in an Adobe product) by a variant of Bredolab.
There was nothing new about the technique, but we did clock something else that was quite unexpected: while monitoring the Bredolab Trojan, we noticed that it was showing a rather unhealthy interest in the HLM\Software\BIFIT registry key. This key contains information about any programs installed on the computer that are used for online transactions and was developed by a company called BIFIT. A malicious program, which shows up as Trojan-Banker.Win32.Fibbit.a, was subsequently installed on the infected computer during the next update from botnet HQ.
When this piece of malware is launched, it copies itself to the file %windir%\system32\winsrv32, or to %TEMP%\winsrv32.exe. Having extracted the executable file from the main body, the program then injects it into the following processes: svchost.exe, explorer.exе, iexplore.exe, firefox.exe, opera.exe, java.exe, and javaw.exe. The malicious program also adds itself to the Startup group and adds the svchost.exe process to the exception list to prevent it from being blocked by the standard Windows firewall. The Trojan searches the system for the window class names SunAwtFrame, javax.swing.JFrame, MSAWT_Comp_Class that have the titles “Вход в систему” (Enter the system), “Welcome” or “Синхронизация с банком” (Synchronize with the bank). If these windows are found, the Trojan captures any relevant keystrokes, copies the data from the clipboard, searches for certificate files with the .jks extension, captures screenshots and attempts to read the keys.dat file. All the data found is then packed into a CAB archive and sent off to the cybercriminal’s server.
Back in mid-2008, when BIFIT first notified banks and users about a Trojan capable of stealing money via the iBank 2 system, the stolen credentials used to access online banks were sent to cybercriminals at the addresses i-bifit.com and i-bifit.in. Nowadays the bank transaction information stolen by Fibbit is collected by sites forming part of the autonomous AS29371 system that cybercriminals use for their illicit activities, and which is already well known to security analysts.
As soon as the cybercriminals have all the data that they need, they send a command to the Trojan telling it to block the user’s access to their online banking service. When the user attempts to enter the relevant site, a dialog box pops up stating that the server is undergoing maintenance work:
By preventing the user from accessing the bank’s online services, the cybercriminals attempt to conceal the fact that there’s a heist in progress. It also ensures that they have enough time to transfer the money out via fake accounts, online payment systems and online currency exchanges, which leaves a complex trail and makes it impossible to cancel the initial transaction.
After fulfilling its task the Trojan winds up its operations, but doesn’t self-destruct, which means that the cybercriminals can turn the user over again at a later date if they so wish.
A week after Trojan-Banker.Win32.Fibbit.a was detected, over a hundred variants of this particular piece of malware have been added to Kaspersky Lab’s venerable malware collection. An analysis of their differences pointed to the cybercriminals using simple encryptors in an effort to make the Trojan more difficult for antivirus programs to detect.
According to data from the Kaspersky Security Network, this Trojan shows up about a hundred times a day, while over a thousand attempts to connect to the blacklisted resources where the stolen banking data is sent to were blocked. When you look at Kaspersky Lab’s share of the Russian market, there must be around 8000 computers in Russia that are infected by this malicious program.
After examining Trojan-Banker.Win32.Fibbit.a we can state that it uses the same technologies as the notorious Trojan-Spy.Win32.BZub and Trojan-Spy.Win32.Zbot. The authors obviously decided not to reinvent the wheel and stuck to what they know. The number of infected computers is pretty worrying though, which is why it’s worth quoting the recommendations that BIFIT gave to its clients:
Also, if you receive an error message when trying to connect to your bank’s server, contact your bank immediately and find out if their servers are working correctly and when the last transaction was made.