Trojan Semi-Phishing to BCP clients

Última actualización en Martes, 16 de Marzo de 2010 11:39 Martes, 16 de Junio de 2009 12:00

Abstract

This paper is about the analysis of a Trojan that installs a web server and creates a fake local BCP web page (semi-phishing) to
fool the clients of this bank and get the card numbers and passwords.

Intro

Some days ago, i received an e-mail about a famous internet girl model from which i could supposedly download some videos
and pictures from her.

This is the title of the email:

and this is the header of the email:

The contents of the email consist in pictures from a gallery hosted in http://www.2oceansvibe.com and some text where
you can see two links to download pictures and videos from that model.

The links are the following:

• http://www.box.net/shared/static/drfkctah0k.exe
• http://www.box.net/shared/static/4amkv2994i.exe

In the following table you can see the complete header of the email: (important values are in bold)

Inside the Trojan

When i tried to download the files, both take the name of video_de_keyra.exe and nod32 detected those files like
Qhost.NAI trojan. Both files are the same.

After disabling the antivirus and downloading the file, you can see the file as a sfx rar file:

The attacker who created the sfx rar left the comments so we can see the configuration settings
of the sfx:

According to the comments, after the silent auto extraction (no windows) of the sfx in c:\windows\system, the script jute.vbs will be executed.

Contents of jute.vbs

Basically, this script execute the files peru.bat and firewall.exe

Contents of peru.bat

First, the host file is deleted and then a new one is created with the address of the BCP web page aiming to localhost. Finally, to complete
to fool the user, an internet web page is open with the pictures of that model.

So, it's for sure that the file firewall.exe its a web server that will show you a fake web page of the BCP web page.

The trojan in action

After executing the sfx file, the vb script is called and you have your PC infected:

• The host file is changed
• The firewall.exe file is executed
• The web browser is started with the address http://perso.wanadoo.es/fotos_keyra/culo01.htm

In a clean PC, normally the host file only have one line:

The infected host file is like this:

So, if you write one of this address or even bcp.com.pe we will get the fake web page of the firewall.exe web server that
is running locally in the machine.

The fake page is like the real one but with the following differences:

• Only the link Ingresa aqui works. The other links don't work.
• The Spanish characters are not correctly showed (á,é,í,ó,ú,ñ)
• The combo boxes don't work

After clicking in Ingresa aqui, you can see the second fake web page:

Here is the most important part of the goal of the Trojan: Get the user card number and password.

This is the form part of the source code of the second page:

The page http://zonitasegurax.zo.funpic.de/sendit.php is the target who will get the information of the card number and
the password. This page could save the data in a database or send it by email to the attacker. After, you are redirected to a real
page of the bank: https://bcpzonasegura.viabcp.com/bcp/ (note that HTTPS is not specified in the host file)

Analysis of Firewall.exe

The exe file is packed with Aspack and was made with Visual Basic 6.
This is the list of the information i obtained from the file:

Configuration changes

• Autorun: Adds a value to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ to start every time the computer starts.

Links

• http://nuevoupdate.nu.funpic.org/index.html The program read the source code of that page. In this moment the source code is update and i didn't find the reason for this.

Strings

• \bcp\OperacionesEnLinea\index.html Is the main page of the fake web page. In the sfx file also there are some folders and files to recreate
  the fake web page.

Apis

• Private Declare Sub RasEnumConnectionsA Lib "rasapi32"()
• Private Declare Function lstrcat Lib "kernel32" Alias "lstrcatA" (ByVal lpString1 As String, ByVal lpString2 As String) As Long
• Private Declare Function SHGetPathFromIDList Lib "shell32" (ByVal pidList As Long, ByVal lpBuffer As String) As Long
• Private Declare Function SHBrowseForFolder Lib "shell32" (lpbi As BROWSEINFO) As Long
• Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
• Private Declare Function WritePrivateProfileString Lib "kernel32" Alias "WritePrivateProfileStringA" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpString As Any, ByVal lpFileName As String) As Long
• Private Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As String, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long
• Private Declare Function GetPrivateProfileInt Lib "kernel32" Alias "GetPrivateProfileIntA" (ByVal lpApplicationName As String, ByVal lpKeyName As String, ByVal nDefault As Long, ByVal lpFileName As String) As Long
• Private Declare Function Shell_NotifyIcon Lib "shell32.dll" Alias " Shell_NotifyIconA" (ByVal dwMessage As Long, lpData As NOTIFYICONDATA) As Long
• Private Declare Sub Sleep Lib "kernel32" Alias "Sleep" (ByVal dwMilliseconds As Long)
• Private Declare Function GetExitCodeProcess Lib "kernel32" Alias "GetExitCodeProcess" (ByVal hProcess As Long, lpExitCode As Long) As Long
• Private Declare Function OpenProcess Lib "kernel32" Alias "OpenProcess" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
• Private Declare Function GetTempPath Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
• Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
• Private Declare Sub GetSystemTime Lib "kernel32" Alias "GetSystemTime" (lpSystemTime As SYSTEMTIME
• Private Declare Function GetVolumeInformation Lib "kernel32" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, ByVal nFileSystemNameSize As Long) As Long
• Private Declare Function SHFileOperation Lib "shell32.dll" Alias " SHFileOperationA" (lpFileOp As SHFILEOPSTRUCT) As Long
• Private Declare Function CreateDirectory Lib "kernel32" Alias "CreateDirectoryA" (ByVal lpPathName As String, lpSecurityAttributes As SECURITY_ATTRIBUTES) As Long
• Private Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As Long
• Private Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileA" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
• Private Declare Function FindClose Lib "kernel32" Alias "FindClose" (ByVal hFindFile As Long) As Long
• Private Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
• Private Declare Sub InternetCloseHandle Lib "wininet.dll"()
• Private Declare Sub InternetReadFile Lib "wininet.dll"()
• Private Declare Sub InternetOpenUrlA Lib "wininet.dll"()
• Private Declare Sub InternetOpenA Lib "wininet.dll"()
• Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
• Private Declare Function SetWindowPos Lib "user32" Alias "SetWindowPos" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
• Private Declare Function GetAsyncKeyState Lib "user32" Alias "GetAsyncKeyState" (ByVal vKey As Long) As Integer
• Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
• Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
• Private Declare Function RegCreateKeyEx Lib "advapi32.dll" Alias "RegCreateKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal Reserved As Long, ByVal lpClass As String, ByVal dwOptions As Long, ByVal samDesired As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, phkResult As Long, lpdwDisposition As Long) As Long
• Private Declare Function RegCloseKey Lib "advapi32.dll" Alias "RegCloseKey" (ByVal hKey As Long) As Long
• Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
• Private Declare Sub URLDownloadToFileA Lib "urlmon"()
• Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

Conclusion

In the headers you can find some useful information that can help you identify who is the author of the Trojan:

• eagle.unixbsd.info Is written in the header of the email
• celia.servidorlatinoamerica.com Was the smtp server used to send the email

If you are infected with this trojan try to kill the process firewall.exe and delete it from %windir%\system, then try to restore your host file