A sign of things to come in credentials theft malware
A new Trojan designed to steal banking credentials has been analysed by SecureWorks. It turns out to be a member of a growing population of credentials theft tools that act as Layered Service Providers (LSPs), inserting themselves into the user's connection to the internet to steal or modify information. But this one has an extra twist in the tail.
An LSP is a Winsock 2 Service Provider Interface mechanism whereby a legitimate service such as a personal firewall can insert itself into the TCP/IP stack. Once in place, the service can monitor and manipulate TCP/IP traffic. However a malicious service can do the same, sending selected data to an external malicious target.
The new Trojan, a Gozi variant, installs itself between the browser and the point where encryption is applied to the data in a supposedly secure SSL session. It can therefore snoop on the in-clear data as if there were no encryption. But it also has another trick up its sleeve: it also hooks into the JavaScript engine to sniff AJAX sessions. AJAX is a JavaScript/XML web interface technique that exchanges small data fragments instead of updating whole pages and is widely used for secure banking credentials exchange.
SecureWorks suggest that virtual two-factor authentication such as the well-known "pick an image" system used by many banks may not be proof against this new threat. In addition to some text based security questions, the user is required to pick a pre-chosen image using the mouse, from a set of maybe four presented in random layout on the screen. Until now, attackers have relied on techniques such as screen capture, which are not ideal, so it has been difficult for malicious applications to breach "pick an image" security. But if the interface uses AJAX, the images are identifiable individually, as potentially is the selection, by capturing the separate AJAX request that refers to each image. The JavaScript sniffer can grab and transmit these without resorting to keyboard or screen capture, and the results can often be analysed intuitively to yield the correct answer.
This Trojan apparently infects via a malicious web page with iframes containing JavaScript and ActiveX components that download a native executable. It seems to have stealth and rootkit capabilities which succeeded in evading leading anti-virus tools for at least a month, including the abilities to turn itself on and off depending on whether a banking site is beign accessed, and to conceal its registry entries.
Combined, these various techniques make a strong cocktail. But probably the most worrying specific fact to emerge from this report is the result of an undercover probe conducted by SecureWorks. Within 24 hours of going undercover, the investigator was told to join a secure IRC channel and offered tool kits for between US$1000-2000, including customised versions of the Trojan. This is clearly just a single example of a developing service market for such tools. If these findings and the sophistication of the blended threat used by this example are anything to go by, we will see the prevalence, quality and specificity of such tools continue to increase, and conventional countermeasures such as anti-virus will have their hands full to contain the threat.
- Gozi Trojan, analysis from SecureWorks
- TSPY_AGENT.NYE report on a similar current LSP trojan by Trend Micro
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
