One of the main goals of a cybercriminal is to gain total control over a victim’s machine. This is currently done through the use of RATs (remote admin tools) and other methods. The infected computers are used by cybercriminals for all sorts of malicious activity.
It’s no different with Brazilian cybercriminals – they have the same intent, but due to their culture of immediacy their efforts are often focused on creating Trojan bankers, rather than botnets, RATs or other methods of remote control. But this behavior is slowly changing – a recent attack shows they are ready to create a network of local infected machines and take total control of it, stealing personal data and using the infected machines to send spam. They are doing all this in a very creative way: registering a remote user account called ‘Remo’ which is password-protected. Through this account the cybercriminals have total access and control over the infected machine.
The attack starts with an e-mail posing as an alleged update for Flash Player. The downloader will actually install the legitimate Flash Player, but will also download another file that appears in the image below as “ajuda.txt”:
Once downloaded, the .txt file will be renamed to .msi and the files it contains will be installed on the system. Inside the .msi file we found several files:
The first file registered in the system is Play.dll. It calls UNI.exe, a tool called Universal Termsrv.dll Patch – it cracks termsrv.dll, a legitimate DLL of Windows used in remote access. This tool will remove the “Concurrent Remote Desktop sessions limit” patching the DLL and results in the system allowing multi-user login in XP/Vista/7 at the same time. Basically, a concurrent remote desktop session allows several users to connect to a system through the remote desktop feature (MSTSC), also known as Terminal Service. If the feature isn’t activated, the malware changes the key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services and its values to remove all forms of protection.
The malware also changes some keys in Windows Registry to create the user account Remo, for example, the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Remo.
The account ‘Remo’ registered in the infected system as a remote access user
In order to give the attacker total control over the files, the malware also changes the properties of the root folder, sharing all its contents. The files that are installed are executed via network sharing (127.0.0.1\Admin$). It registers some malicious BHOs, each one for a different Brazilian bank: bcef.dll (Caixa Economica), brada.dll (Bradesco), brasil.dll (Banco do Brasil), and bjuri.dll (Bradesco Juridico). The DLLs will be responsible for stealing users’ credentials during access to Internet banking services.
To ensure the malware is active after the next reboot, it registers two job files in the Windows Task Scheduler. These files will call play.dll and update.bat which can download new files to the system.
When accessed by the black hat the infected machine will show on Task Manager the files that are executed by the user “Remo”:
Currently more than 3,300 machines in Brazil are infected and controlled using this technique. To manage the machines the bad guys maintain a page showing the MAC address, the user account, and the date when it was infected. It also shows if a security plug-in used by Brazilian banks is installed:
“_BB_” stands for Banco do Brasil, its there to identify if the infected machine has the bank’s security plug-in installed
Besides having their personal data stolen, the user’s machine will be used by cybercriminals to distribute spam, just like in a botnet. The criminals are selling access to infected machines and charging around U$ 60.00:
"When it comes to sending spam, your problems are over: unlimited Windows Remote MSTSC and SMTP for R$100.00"
If you were a victim of this attack, just go to Start > Run, type control userpasswords2 and delete the account 'Remo'. All the files installed by this Trojan are detected, blocked and removed by all Kaspersky Lab products.
(Hat tip to Maria Cristina)
2011 Jul 15, 21:24
In fact, it is rare to see a trojan Banker with a well-designed code. The majority has always the same behavior, and when you find some better developed, some piece of its code has been copied or they used these kits for sale on black hats websites. This one is really a more creative and better prepared, and it gives to us an idea what's coming up.
2011 Jul 16, 22:55
Hello, I have to go a little bit of the theme. I have idea about the it security but I am not programer. I read a lot of such articles as here. And as hobby I analyse spam and log files of our site.Recently I traced some spam which has led me to a hosting provider for adult content. I have first thought wow what great (powerfull servers) infrastructure they own, but it was only leased in Netherlands. And that is theme I want to point about. The cybercrimanal gangs are just users, but perfectly educated users. I dont analyse now the groups with their own programers, but what one can do if one could find finished solutions nowdays just as a user.
Edited by js, 2011 Jul 17, 00:30