Traversing a ‘DLL’: Financial Crimeware (Banker)
Traversing or Reversing a DLL is ever challenging (For Beginners and Intermediates). If a DLL comes with an EXE, its EXE’s job to load the DLL in the memory. But what if you get just a DLL alone to reverse. It’s cool rite ;-)
Here I am going to Traverse a Financial Crimeware Trojan in the form of DLL.
Step 1:
Lets see the strings to guess what the DLL behaviour is.
haa.. Don’t see readable strings ? So it should be a packed file. Next step is to identify which packer.
Step 2:
To identify the packer let me use PEID.
So the packer is ASPack 2.12. Interesting and not so tough to unpack this.
Step 3:
Unpacking steps for ASPack is similar to UPX. You can see the PUSHAD instruction when the file is loaded in Olly. Now I’ll unpack this DLL using Olly Debugger by following the ESP register address in the dump and setting break point.
To unpack the DLL, as shown in the above screen shot, execute the 1st instruction PUSHAD (1) which pushes the value to the stack. Now follow the address in ESP register (2) in the dump (3) and set “Hardware On Access” break point as shown in 4. But why? The reason we set the break point here is to break when this address is popped out from the stack which would be POPAD. This will take us to the original entry point, what we call is unpacked file.
Lets see what happens when I press F9 after setting the above break point.
Bad.. It has detected the debugger. What’s next?
Step 4:
I found the API which is responsible for detecting the debugger. It is “IsDebuggerPresent”. Lets see what the function does according to MSDN,
“Determines whether the calling process is being debugged by a user-mode debugger”
By above reference its very clear that the function checks if the current process is debugged using a ring-3 debugger or not. So it is obvious that the function succeeds and it returns a positive value saying ‘Yes’. To unpack the file let us evade this Protection warning. For this we can either use plugins or modify the values to escape from checking the debugger. Lets do it manually ;-) For that I set a command line break point in the API “IsDebuggerPresent”.
Here we land in Kernel32 module which contains IsDebuggerPresent function. Press Alt + F9 to go to the user code.
Next instruction will be TEST AL AL. “Any return value of an API will be stored in EAX register”. So the TEST condition checks Accumulator lower order value is 0 or 1. Since the IsDebuggerPresent function succeeds here, the return value will be 1. In the next conditional jump instruction, since the return value is one in our case, it doesn’t satisfy the condition, thereby jump is not taken. As you see in the above screen shot when the jump is not taken, it calls the function where you get the Debugger Detected dialogue box.
To evade this warning we can either use external plug-in or modify some value to jump the debugger check function. But lets modify the value instead using plug-in.
There are three ways to jump the detection check function,
- By changing the return value in the EAX register from 1 to 0.
- Or by setting the Zero-Flag to 1.
- Or by ‘nop’ing the instructions.
To change the return value stored in EAX register, double click on the value and change from 00000001 to 00000000. When the TEST AL AL instruction is executed, it assumes that the return value is 0, means current process is not in the debugger mode and takes the Jump which does not take us to Debugger Detected dialogue box.
Else, just double click on the Z-Flag which changes the value from 0 to 1 which again takes the jump without taking us to the error message.
By pressing F9, the code breaks at JMP EAX which takes us to the Original Entry Point (OEP).
Step 5:
Now I should see readable strings in Olly since the file is unpacked.
I can see few encrypted strings even after unpacking the file. These strings has to be decrypted in run time to see which Bank this Trojan targets ?
Let me call the exported function ‘update’ using rundll32 command. This loads the DLL using rundll32.exe file. To enter the DLL module, attach rundll32.exe in olly and click the Module to view the DLL.
Very interesting part is it captures the Window Title name of Internet Explorer and Firefox to compare if it matches the strings this Trojan targets. But what string?
To find that I played a small trick here. I contacted some random website in Internet Explorer. The Trojan gets the name of the Title window to compare it with the list it has. Before that, this Trojan decrypts the encrypted strings in the memory and stores them in the buffer. This helps me to extract those readable strings and find the Targets.
This Trojan targets few Financial Institutions in Brazil which are listed below,
- http://bradesco.com.br
- http://sicredi.com.br
- http://santander.com.br
- https://internetbanking.caixa.gov.br/SIIBC/index.processa
- http://www.itaupersonnalite.com.br/index
But what does this Trojan do with these Banks?
When a user contacts any one of the above listed bank website, this Trojan overlaps fake content of the bank which matches the original website. When you see the below screen shot, when I contacted the 4th link in the above list and clicked on the Usuario to enter username, Internet Explorer window becomes inactive and goes background, which confirms that the Marked part which asks for the user information is a fake content overlapped above the original website.
When I entered the information in the above fields and clicked on CONFIRMAR, it continued to ask further more information (Below screenshot), but the URL in the address bar doesn’t change. This shows that I am still in the login page of the original bank website, but the overlapped page proceeds to ask other information.
After collecting all the information from the user the Trojan DLL displays a error message. When we click Ok, it closes the fake content and puts the user back to the home page, which makes the user to renter information in the original website.
Dropsite:
In the background, the Trojan connects to the command and control server to get the Drop site information, to post the stolen data. C&C server replies with a website where the information has to be sent. The Trojan sends the data to the remote server through HTTP Post.
The Trojan stores user information in the below format, which is later transferred to the remote server.
Conclusion:
This post tells you how to work on DLL file and the impact in the user system when such Trojans are installed.
Trackback from your site.
Comments (36)
Rahul
| #
Hi,
That was really good !!
Is there a way to get this trojan download n
test in VM environment.
Reply
Shiv - Threat Research Analyst
| #
Thanks Rahul. You can get similar Trojans in MDL, Threat Expert, etc. You can search them with keywords Banker, Bancos using advance search in google.
Reply
EvilFingers
| #
Nice Article Siva!
Reply
Shiv - Threat Research Analyst
| #
Thank you so much
Reply
Karl
| #
Good job. I followed this from linked in. There’s very rarely anything that interests me, but this did. I spend alot of time searching for botnets and crimeware and have found a few using Olly/IDA Pro and some tools. Again, good post.
Keep it up.
Karl
Reply
Shiv - Threat Research Analyst
| #
Thanks for feedback and encouragement Karl.
Reply
palaniyappan
| #
nice article
Reply
Shiv - Threat Research Analyst
| #
Thank you Palani.
Reply
Swapnil
| #
Nice article Shiv. Keep up the good work
Reply
Shiv - Threat Research Analyst
| #
Thank you Swapnil.
Reply
Rudy
| #
Hello, thank you for explaining this so well.
What tools and information do i need to catch viruses and to test them like Shiv does. I am thinking of doing a project at school (i’m 13) about how to catch and test a virus.
Is there any advice for me on this.
thank you
Rudy (London)
Reply
Shiv - Threat Research Analyst
| #
Hi Rudy,
I am Shiv and Thank you for the Feedback.The tool I used in this Analysis is Olly Debugger.
Sure I can help you with the project. But I would like to know in what basis you are planning to analyze a Virus ? Would you like to work on financial crime wares which steal user information or something else. Or do you have any plan to work on a specific project related to Virus. Based on that I can suggest you more better.
Reply
Antivirus Indonesia
| #
I’ve just found your post on Google. That’s a nice post! Btw, what is the name of that malware? Zeus, SpyEye, or? Maybe you can post a picture of scan results from VirusTotal. Thanks. Keep up the great post Shiv! :)
Reply
Shiv - Threat Research Analyst
| #
Thanks for the feedback. This Trojan is called as Trojan.Banker or Bancos. Virus total results are here,
http://www.virustotal.com/analisis/295d3d5907309d9f34d8cb896f0a486df5f41ddb34b306f24193a26970bbd7a3-1266352666
Reply
Rudy
| #
Hello Shiv, My maths teachers wants us to write a project of our choice and i thought i would do one about how i can use my maths knowledge to protect my dads computer from someone stealing his credit card details.
I just need to make a story that shows my teacher i know what i am talking about. So i know i can put antivirus software on the pc, but is there a way of me doing some checks on the computer so i can show in my project that i know what i am doing. So is there anything in olly debugger i can check to see if i have a crimeware on there.
thank you Shiv.
Rudy
Reply
Shiv - Threat Research Analyst
| #
I appreciate your Interest Rudy. I am not sure how techie you are since you are too young. So let me tell you about a Simple Trojan which steals credit card information which I came through way back during analysis.
So you can explain your teacher something like this.
A Trojan infects your machine. This Trojan stays in the memory (RAM) and monitors for the user input. The input here is 15 or 16 Digit credit card number. Say you do some online shopping and enter your credit card number and hit “Enter”. This Trojan is functioned in such a way that once it finds 16 Digit number entered anywhere in the Internet Explorer, it displays a Fake page and asks for Expiration date and Authorization number. Once you enter the information it closes the window and you land back to the online shopping page. In the background this trojan captures your information and write it in a text file. This text file is transmitted to the remote server who is the stealer guy. Now the stealer guy can user your credit card Information which we call it as “Crime”.
Mathematical or Computer knowledge you should be using here is, the program should wait till 16 numbers entered in Internet Explorer to display a fake page and then it has to write them to a text file. Once information is written in text file, the Trojan has to send it to the stealer guy through internet.
To check such Trojan behavior you should have a Virtual Machine in you computer.
For protection if you use Antivirus software, it can detect these Trojans, provided the Trojan signature should already be present in the Anti Virus.
I hope that you should become a Cyber crime analyst and protect our Cyberworld from criminals.
Reply
Nicolas
| #
Hola,
traversecode.com – da mejor. Guardar va!
Reply
Shiv - Threat Research Analyst
| #
Thank you Nicolas.
Reply
Rudy
| #
Shiv, thats a really great way to explain it to me thank you. So if i download the Olly i will be able to check my dads computer out for trojans. I am going to do this before i run an antivirus because i want to be able to find a virus on the there and look at it. So the trojan signature is like a bunch of numbers in the computer data?
How can i find out what these numbers are, so i can see them in the Olly?
Are there any examples of signatures on the internet? These signatures must be what i download when my antivirus updates in the dictionary. I guess they get these signatures by looking at viruses inside the computer.
I will read your post again because the answer might already be in there.
thank you
Rudy
Reply
Shiv - Threat Research Analyst
| #
Rudy, Olly debugger is used if in case you have a Trojan file and you want to see what the code will do. With Olly you cannot scan your computer and find Trojans installed.
Example: There is a Trojan called Trojan.exe. Antivirus guys uses olly debugger or any other debuggers to analyze this Trojan. And they take a specific code from the Trojan and add them to their Database. This is what your Anti-Virus downloads as updates to detect this Trojan if it has infected your computer.
Check this: http://antivirus.about.com/od/whatisavirus/a/virussignature.htm
Say, if you want to check your father’s computer for Trojan, without using Anti-Virus you can use tools like Hijackthis, rootkit revealer, etc. But these will not help you all the time. So its good to use Antivirus and keep them up to date by downloading updates.
Ping me anytime if you have any doubts or question.
Reply
Vasanth
| #
Nice Article … Keep it up shiva
Reply
Shiv - Threat Research Analyst
| #
Hey thank you Vasanth.
Reply
Rudy
| #
I found a virus on my dads computer called Trojan:32/FakeXPA. I can remove it with anti virus, but i want to find its signature in Olly and then print screen it for my project.
Shiv, how can i find out where the signature is in Olly? Is there anywhere that explains these signatures.
I am not good at reading this computer code, like MOV EBP, ESP . Does that mean move some numbers in one place in memory to another place? It seems that viruses can have different kinds of code so that some can be seen like MOV EBP, ESP and some you have to be able to read web languages. I did a computer course that taught about binary and hex numbers and how the computer speaks in these languages, but it didn’t teach how you can talk to the computer like MOV EBP, ESP.
Thank you for your help.
R
Reply
Shiv - Threat Research Analyst
| #
Thats a good News that you found the Trojan “Trojan:32/FakeXPA”. This Trojan will look like an Antivirus product but a fake one. Though your computer is not infected, this Trojan will show you all fake results to make the user to buy this Product. A kind of a stealer. Take a back up of it for your Project purpose and delete this Trojan.
Of course the codes will be in the hex form which are called Opcode by which your computer performs operations, but Olly debugger transforms the opcode and displays in the form of assembly language. This is to make the Analysts work more comfortable. So if you want to understand the code MOV EBP, ESP then you can learn assembly language. As you understood EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI are 8 general purpose registers your computer processor has, to perform the operations.
MOV EBP, ESP here says the value in ESP register is moved to EBP register, something like copying. Now ESP and EBP will contain same value.
Example 1:
A Trojan contains a code which says ‘I am a bad guy’. You have to make sure this code should be specific only to this Trojan. This code should not be in any good files in this world. When you convert this to hex it becomes “49 20 61 6D 20 61 20 62 61 64 20 67 75 79″. You’ll add this code to the Antivirus database. Once done this code will be detected by the Antivirus. Thats how others detect such Trojans.
Example 2:
Else you can take MD5 hash of the Trojan using tools which u can find in google. This can also be added to detect tha Malware.
Difference in Example 1 and Example 2 is, one signature can catch 100′s of similar Trojans around the world. But MD5 detects only that file for which you have take MD5.
If you want to take signatures then you should understand Assembly. Also you have opensource anti virus called “Clam AV” where you can add your own signatures. How to add signatures are explained below.
http://www.clamav.com/doc/latest/signatures.pdf
Please work on these only in Virtual Machine not in your host computer. You can use VMWare (Have to Purchase) or Virtual PC (free).
Reply
Rudy
| #
Thank you Shiv. One last questions. Where can i learn this Assembly?
Thank you
Rudy
Reply
Shiv - Threat Research Analyst
| #
You can continue asking me questions Rudy. I appreciate your Interest. You can refer the book called “The Art of Assembly Language” which you can find in Google. This will help you to understand MOV, CALL, Registers, Stack, Heap etc which are used in Reverse Engineering.
You are most Welcome Rudy.
Reply
Erik
| #
Shiv, nice article! You explained the process very well. I did have one question though.
When you are bypassing the “IsDebuggerPresent” check, how did you get to the API in kernel32? I assume the dll was loaded by the trojan, but how did you find this in Olly?
Reply
Shiv - Threat Research Analyst
| #
Thank you Erik.
What I did here is I assumed that this should be the API which checks for the Debugger Detection. And then I used a plugin called command line in Olly and I set a breakpoint like this “bp IsDebuggerPresent”. This breaks in the Kernel32 API (IsDebuggerPresent) when the Trojan calls this API. From here I change the return value and bypass the detection.
Reply
Dinesh
| #
hey ,
This is Dinesh from Sweden, doing my masters. I followed you through LInkedIn. Your research is good & good start for a young babies. Well, I am doing some research work on banking malware & i worked before on SilentBanker as an my thesis work. So I want to continu on this work , could you please let me know which is latest/popular Banking Malwares (Kits, Samples, SourceCode, etc. atleast 2-3) …
//Dinesh
Reply
Shiv - Threat Research Analyst
| #
Hi Dinesh, Thanks for the feedback.
It is always been a challenge working on the Banker Trojans. Also it is not much easy to collect such samples as we are particular about Banking Trojans. I rely on few sources like, malwaredomainlist.com, malwareurl.com, threatexpert.com, etc. The Trojan which I traversed on targets Brazil banks and it is named as Trojan.Bancos or Trojan.Banker. Other Trojan is Zeus which targets most of the Banks again. It comes as a kit. So the person who has the kit decides which bank he wants to target and puts them in a configuration file in an encrypted format which will be downloaded by the Trojan in infected machine. This config file is used by the Trojan to intercept a fake HTML forms to collect information. I have posted an Article here on how to decrypt this config file.
Reply
Can You Trust That File? « Aggressive Virus Defense
| #
[...] Traversing a ‘DLL’: Financial Crimeware (Banker) walks through a Banker trojan, illustrating a strings enumerator, PEID and Olly Debugger. Possibly related posts: (automatically generated)A Simple MeasureSimple Malware Discovery MeasuresThe Anti-Virus GuyVirus Scanners for Virus Authors [...]
Reply
Dinesh
| #
Hey Shiv,
Thank you very for reply . I am sorry for response. I have few other question wrt jobs. Basically I am starter in this malware analysis domine and I am finding difficult to find a job. I am not sure what companies expects from new startup guy in this domine. If you could share you mailID so that I can send my resume to you, so that you can correct me if u find some thing wrong.
//Dinesh
Reply
Michael
| #
Very well put together! The brief but understandable opcode explanations really connect your post with the reader without over-saturating them with technical buzz. A++
Reply
Shiv - Threat Research Analyst
| #
Thank you so much Michael..
Reply
varadharajan
| #
Really nice tut shiva!!! You explained the important things which i never gone through in any other tuts. Keep up the good work.
Reply
vardharajan
| #
HI Shiv!
I am expecting your reversing with VB Malicious file. It would be great if you could mention step by step explanation on how to reach malicious code easily as i dont find any tutorials in this way.
Reply