Analysis of online banking trojans: Watch out for the "recharge software" version"
I. background
Recently, the anti-virus center in Chengdu 360 intercepts a type of virus hidden in the recharge package. After a user is infected with the virus, funds may be stolen. The virus contains a series of technical means to avoid and interfere with security vendors. Currently, many anti-virus software in China cannot scan and kill the virus. Therefore, we have analyzed the process of stealing property from the virus in detail, and reminded security vendors to pay attention to strengthening detection.
According to the analysis, the virus is highly concealed and has a certain self-destruction capability. In an effective life cycle, it can call its released remote control program and key record program, in this way, the user enters the payment account, password, and other information to steal the account funds.
II. Introduction to viruses
Virus Type: Trojan file name: Traffic-charged system all-country supply .rar MD5: 74952cea61115da12c00646d1df8b6c0 file size: 3,515,077 Bytes
. The update program serves as a bridge to execute other malicious components in a whitelist.
When the software is run for the first time, the virus is executed and the original program runs normally. It is difficult for users to find exceptions. The sample information related to the trojan in the software package is as follows:
Figure 1 360 virus samples detected
When the user runs the software, update.exeis executed by the main program to detect updates, and the following update.exe starts a malicious batch processing file qiaoi. bat Based on the configuration items in the configuration file update. ini.
Then load PotPlayer. dll and execute.
The hacker process is a key Record Program. Attackers can use these two methods to steal user account funds. The whole virus execution process is as follows:
Figure 2 virus running Flowchart
In addition, some random data is written into all executable files released by the virus to defend against soft scanning and removal. At the same time, the main modules of the virus are loaded and run by the white signature file in the form of white and black, these can interfere with the detection and removal of the virus. After the virus is first executed, the files resident on the user's hard disk are as follows:
Figure 3 resident virus Module
Iii. Detailed Analysis
1. Virus Software Package
The virus software package was originally a normal recharge software, and the virus author implanted a Trojan. The virus author replaces the update component of the software package with a white signature program and modifies the configuration file of the white signature file, this allows the updated component to run the malicious batch processing file qiaoi implanted by the virus author. bat (66da57c115b078e424b4394a06ac2aea ).
Figure 4 tampered configuration file
Qiaoi. after bat is run, a qiao is generated first. bat executes batch processing. This batch processing executes the "ipconfig/release" command to disconnect the system from the network, interfere with the soft cloud query function, and then releases a new malicious script qiaoi. bat (d8283cba7f5d4187c9537ff7d7adc332. Malicious scripts contain a large number of junk commands for Interference Analysis, and can also defend against anti-virus software detection and removal.
Figure 5 virus script
2. Release qiaoi. bat (d8283cba7f5d4187c9537ff7d7adc332)
If no antivirus software is installed in the system, the virus batch processing script releases a malicious program with a random file name and runs it. When a malicious program with a random file name is released, random data is written in the first few bytes of the PE Header, which makes the MD5 of each released file different.
Figure 6 writing random bytes
Protocol and a malicious module PotPlayer. dll.
Figure 7 qiaole.exe
When the virus passes qiaole.exe to load PotPlayer. dll, The PotPlayer. dll will read the virus file c: \ winst \ ghost and inject the decrypted executable file to run it.
When malicious scripts run, the original program of the software package runs normally, and the user does not know that there is already a "devil" lurking in the computer.
3rd, the first svchost.exe to be injected
Read the virus file C: \ winst \ bhdll.tmpto decrypt another executable program, create the second svchost.exe slave process, and inject the decrypted executable program into the operation.
4、the second svchost.exe injected
This process includes the following main functions of virus:
1) access http://blog.sina.com.cn/s/blog_14a8f4af60102vrbo.htmlto a 16-digit segment. In this way, attackers can take advantage of the survival time of the cloud-controlled network virus to easily clean up all infected computers. after January 1, February 1, 2016, the virus will be cleared from all computers, this indirectly ensures that the virus is not detected after its lifecycle.
Figure 8 get network date
2. Create the third svchost.exe process and decrypt an executable program in the memory for injection.
3. Create the napstat.exe process in the system32system directory and decrypt an executable program in the memory for injection.
4) Clear the malicious files implanted in the virus software package.
Figure 9 clear implanted virus files
5) process enumeration. If a process named "aliimsafe.exe" is running, the process is terminated, delete the process file and create a folder with the same name under the directory of the process to prevent the file from being restored. This interferes with the security protection function of the system and ensures that the keyboard record program can correctly record the password of the Alibaba trademanager account entered by the user.
Figure 10 search for and destroy a specific process
5. The third svchost.exe to be injected
After analysis, it is confirmed that the Remote Control Trojan horse is running in this process. No detailed analysis is conducted here. The following are some parameters of the Trojan.
Figure 11 Trojan's launch address and version
6、injected napstat.exe
A key-record Trojan is running in this process. You can set a global keyboard hook to record your key information.
Figure 12 install a keyboard hook
During the hook process, the trojan writes the recorded key information to the file C: \ ProgramData \ Microsoft \ Windows \ DRM \ web \ jilu. tmp.
Figure 13 key information recorded
The trojan also has a one-hour timer, which is used to send a key record to the specified email every hour. The analysis shows that the author has not configured relevant parameters, so this timer has no practical effect, however, the author can remotely control the backdoor to obtain key records.
4. Preventive suggestions
1. Download software from the official website or other secure and reliable channels;
2. If a system exception occurs when running a software application (for example, the system prompts that the network connection is disconnected), the trojan should be promptly detected and killed;
3. enable professional security software protection. Do not close the software if necessary.