Rootkit vs. e-banking

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre.

So, why doesn't Haxdoor just hook system calls in the kernel? A recent Secure Science paper has a good explanation for this. Haxdoor is used for phishing and pharming attacks against online banks. Pharming, according to Anti-Phishing Working Group (APWG), is an attack that misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted. Apparently Haxdoor is designed to steal data especially from IE users, and not all tricks it plays work against, for example, Firefox.

OPIS:

NAME: Haxdoor
ALIAS: Backdoor.Win32.Haxdoor

Haxdoor is a powerful backdoor with rootkit capabilities. It can hide its presence (processes and files) on an infected system, so it can be only detected by anti-virus programs that use kernel drivers and by rootkit detectors (like our F-Secure BlackLight for example).

This backdoor has spying capabilities and according to reports, it has been lately used to steal bank-related information (logins and passwords for online bank accounts) and other information.

VARIANT: Backdoor.Win32.Haxdoor.al

Detailed Description


When the backdoor's file (CMD.EXE) is run, it hiddenly drops 7 files to Windows System folder:


cm.dll
draw32.dll
hm.sys
memlow.sys
vdnt32.sys
vtd_16.exe
wd.sys

These files are activated only on next system reboot. When the backdoor is active, all its files are hidden. Moreover, the backdoor tries to inject its code into Windows Explorer process and hides both 'Explorer.exe' and 'Winlogon.exe' processes. However our BlackLight Rootkit Eliminator can find and remove the backdoor successfully.

The 'vtd_16.exe' file is a Windows CMD.EXE and it is run by the backdoor as a decoy (the backdoor's name is CMD.EXE, so it runs a command interpreter to hide other activity).

The 'cm.dll' and 'draw32.dll' files are identical. They represent the main component of the backdoor. The Winlogon Notification key for the 'draw32.dll' file is added to the Registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32]

This allows the backdoor to start when a user logs on. This way of starting files is quite rarely used by malware.

The backdoor is quite powerful (see below) and it has password stealing capabilities. The backdoor contains the following strings and it can steal login and password information from users of different online banks and payment systems:


bank
banq
trade
merchant
moneybookers
VeriSign
authorize
sgcyprus
coopcb
fbme
banc
gold
business
citi
ikobo
HSBC
halifax
alpha.gr
cdb
Barclays

Additionally the backdoor can steal the following info:


POP3 password
POP3 server name
POP3 user name
IMAP password
IMAP server name
IMAP user name

Also the backdoor can steal cached, Miranda ICQ, MDialer and Webmoney passwords as well as MDialer and RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).

All stolen data is sent to 'corpse@mailserver.ru' address by e-mail. The backdoor can also connect to a website with a specially constructed URL to notify a hacker and it can also post data to a website. The website name is configured by a hacker.

The backdoor can modify settings of Internet Explorer:


Search page
Local page
Start page
First homepage
Default search URL

The backdoor can be controlled by an IRC bot. When active the backdoor joins the '#corpse' channel on the 'irc.localirc.net' server. The backdoor supports several commands that allow a hacker to do any of the following:


join a channel
kill bot
change nick
run files
download files
start a backdoor
start a proxy
start DDOS attack
get local drives info
send e-mails
list directories
find files
reboot a computer
get info about a user
update the backdoor's file from a webserver

As a payload the backdoor disables certain firewalls and terminates the following processes:


zapro.exe
vsmon.exe
jamapp.exe
atrack.exe
iamapp.exe
FwAct.exe
mpfagent.exe
outpost.exe
zlclient.exe
mpftray.exe

Funnily the backdoor can still play such dumb tricks on a user as opening and closing of CD-ROM tray...