Banking Trojans

Banbra (Dadobra, Nabload)
* Static process
* Process injected into other process
* Encrypted / packed file


Bancos
* Static process
* Process injected into other process
* Encrypted / packed file

Bankdiv (Banker.BWB)
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
* Substitution of Operating System files

Bankolimb (NetHell, Limbo)
* Static process
* Process injected into other process
* Encrypted / packed file

Banpatch
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files

Briz
* Static process
* Process injected into other process
* Encrypted / packed file

Cimuz (Bzud, Metafisher, Abwiz, Agent DQ)
* Static process
* Process injected into other process
* Encrypted / packed file

Dumador (Dumarin, Dumaru)
* Static process
* Process injected into other process
* Encrypted / packed file

Goldun (Haxdoor, Nuclear grabber)
* Static process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit

Nuklus (Apophis)
* Static process
* Process injected into other process
* Encrypted / packed file

PowerGrabber
* Static process
* Process injected into other process
* Encrypted / packed file

SilentBanker
* Static process
* Process injected into other process
* Encrypted / packed file

Sinowal (Wsnpoem, Anserin)
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Polymorphic file
* Encrypted / packed file
* File hidden by rootkit

Snatch (Gozi)
* Static process
* Process injected into other process
* Encrypted / packed file

Spyforms
* Static process
* Process injected into other process
* Encrypted / packed file

Torpig (Xorpix, Mebroot)
* Static process
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
* MBR rootkit

Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
%SystemRoot%\appwiz.dll
%SystemRoot%\ipv6mmo??.dll
We have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
HKEY_LOCAL_MACHINE\Software\Helper
Others create the following one:
HKEY_LOCAL_MACHINE\Software\MRSoft

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
%SystemRoot%\ieschedule.exe
%SystemRoot%\dsrss.exe
%SystemRoot%\ieserver.exe
%SystemRoot%\websvr.exe
%SystemRoot%\ieredir.exe
%SystemRoot%\smss.exe
%SystemRoot%\ib?.dll
Folders:
%SystemRoot%\drv32dta
%WindowsRoot%\websvr
Registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\InitRegKey
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:
%SystemRoot%\IEGrabber.dll
%SystemRoot%\CertGrabber.dll
%SystemRoot%\FFGrabber.dll
%SystemRoot%\IECookieKiller.dll
%SystemRoot%\IEFaker.dll
%SystemRoot%\IEMod.dll
%SystemRoot%\IEScrGrabber.dll
%SystemRoot%\IETanGrabber.dll
%SystemRoot%\NetLocker.dll
%SystemRoot%\ProxyMod.dll
%SystemRoot%\PSGrabber.dll



BankDiv, Banker.BWB
Creates the following files:
%SystemRoot%\xvid.dll
%SystemRoot%\xvid.ini
%SystemRoot%\divx.ini
%System%\drivers\ip.sys



Snatch, Gozi
It usually installs a driver with rootkit functionalities:
%WindowsRoot%\driver new_drv.sys

Spyforms
Creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
“ttool” = %WindowsRoot%\svcs.exe
HKEY_CURRENT_USER\Software\Microsoft\InetData

BankPatch
It modifies the following system files:
wininet.dll
kernel32.dll
And creates the files:
%SystemRoot%\ldshfr.old
%SystemRoot%\mentid.dmp
%SystemRoot%\nwkr.ini
%SystemRoot%\nwwnt.ini
Usually targets banks from the Netherlands.

Silentbanker
Drops file in %SystemRoot% with random names, for example:
%SystemRoot%\appmgmt14.dll
%SystemRoot%\dbgen47.dll
%SystemRoot%\drmsto34.dll
%SystemRoot%\faultre66.dll
%SystemRoot%\kbddiv55.dll
%SystemRoot%\kbddiv79.dll
%SystemRoot%\msisi83.dll
%SystemRoot%\msvcp793.dll
%SystemRoot%\msvcr25.dll
%SystemRoot%\nweven2.dll
%SystemRoot%\pngfil51.dll
%SystemRoot%\pschdpr89.dll
%SystemRoot%\versio40.dll
%SystemRoot%\wifema85.dll
%SystemRoot%\winstr21.dll
%SystemRoot%\wzcsv64.dll
Creates a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”


Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Bancos
Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
%SystemRoot%\winldra.exe
%WindowsRoot%\netdx.dat
%WindowsRoot%\dvpd.dll
%Temp%\fe43e701.htm
It also creates the following registry entries:
HKEY_CURRENT_USER\Software\SARS
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
%SystemRoot%\ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%\wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Old value = "%SystemRoot%\userinit.exe"
Modified = "%SystemRoot%\userinit.exe", "%SystemRoot%\ntos.exe"
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe
%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.dll
%WindowsRoot%\Temp\$_2341234.TMP
%WindowsRoot%\Temp\$_2341233.TMP
The "?" is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
“Shell” = "%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe"
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.


Recent variants of Torpig, Xorpig and Mebroot:
The latest trend is that it modifies the computer's Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:
%WindowsRoot%\temp\fa56d7ec.$$$
%WindowsRoot%\temp\bca4e2da.$$$

22.11.2010 15:26 Uhr