SonicWALL UTM Research team received reports of a new variant of Ramnit malware spreading in the wild.

The Ramnit malware family is known for following capabilities:

• File infector: infects files with EXE, DLL, SCR, HTM and HTML extensions by appending its code.
• Network propagation: Spreads via network shares and USB devices.
• Backdoor: Creates a backdoor where it can receive remote instructions.
• Steals FTP credentials and browser cookies.

The latest variant also incorporates Zeus-like Man-in-the-Browser (MitB) web inject functionality to steal Online Banking credentials. It is highly likely that some modules of the Zeus source code (leaked earlier this year) have been integrated into it.

The sample under investigation performs following activities on the infected system:

• Creates a copy of itself as (Local Settings)Tempdbsoowwjviewtmlp.exe (random filename generated per system).
• Initiates two instances of svchost.exe processes and injects code into it.
• Infects executable files having .EXE and .DLL extensions by appending malicious code to the files. Below is a sample list of files under Program Files that were infected:
  • AdobeReader 9.0ReaderLogTransport2.exe
  • AdobeReader 9.0Readerpe.dll
  • AdobeReader 9.0Readersqlite.dll
  • Common FilesAdobeAcrobatActiveXAcroIEHelper.dll
  • Common FilesAdobeAcrobatActiveXAcroPDF.dll
  • Common FilesAdobe AIRVersions1.0Resourcestemplate.exe
  • Common FilesDESIGNERMSADDNDR.DLL
  • Common FilesJavaJava Updatejusched.exe
  • Common FilesMicrosoft SharedMSDesigners7MSVCP71.DLL
  • Common FilesMicrosoft SharedOFFICE11MSO.DLL
  • Common FilesMicrosoft SharedOFFICE11MSSOAP30.DLL

  The infected executable files will have an additional section containing malicious code:

  
  

• Makes registry modifications to launch itself upon system reboot. It also disables the Windows Safe Mode feature by deleting registry keys from following locations:
  • HKLMSYSTEMControlSet001ControlSafeBootMinimal
  • HKLMSYSTEMControlSet001ControlSafeBootNetwork
  • HKLMSYSTEMCurrentControlSetControlSafeBootMinimal
  • HKLMSYSTEMCurrentControlSetControlSafeBootNetwork

  Subsequent attempts to reboot infected system in Safe Mode will result in Blue Screen of Death (BSoD) crash.

  
  

• Opens a backdoor Secure FTP server on TCP port 22 on the infected system.

  

• Connects to a remote C&C server at carr(REMOVED)ezz.com using SSL connection to receive instructions.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

• GAV: Ramnit.D (Trojan)
• GAV: Ramnit.D_2 (Trojan)

The Sonicwall UTM research team received reports of a new Banking Trojan spreading in the wild. The Trojan spreads through email and steals banking credentials from customers of BBVA bank. The email that is spread falsely reports that the long-time dictator of Cuba, Fidel Castro had died from a sudden heart attack at his residence. The email uses 2 links: “click on the image” and “Play video” that lead to the download of the Trojan executable file:

The links to the Trojan are hosted on compromised webservers:

• http://www.chem{removed}.co.uk/24horasnoticias.exe
• http://www.ferienwoh{removed}-vk.de/lightbox/js/24horasnoticias.exe
• http://web4.au{removed}.org/bird/cbc/pdf/24horasnoticias.exe

The downloaded file uses the following icon:

Once run, this initial dropper Trojan adds the following file to the filesystem:

• C:09342.exe [Detected as GAV: Dapato.HEM (Trojan)]

The following request was observed when obtaining 009342.exe. This file is a spreader Trojan and is downloaded from a predetermined list of compromised remote webservers:

C:09342.exe is executed and makes the following changes to the filesystem:

• C:Documents and SettingsAll UsersApplication DataLupitaLupita.exe [Detected as GAV: Banker.SKQG (Trojan)]

C:09342.exe makes the following change to the windows registry to enable startup of the main banking Trojan:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “C:Documents and SettingsAll UsersApplicationDataLupitaLupita.exe”

C:09342.exe was also seen scanning all directories on the filesystem for .dbx files in an attempt to gather email addresses for further spreading.

The dropped executable (Lupita.exe) is the main banker Trojan. The Trojan binary contains the following links:

• http://www.hidro{removed}.com.br/img_site/addo.php
• http://www.holi{removed}.info/features/addo.php
• http://h1655219.stra{removed}.net/wework/js/addo.php
• http://www.hippodr{removed}.com//Hippodrome/Les_partenaires/del.php
• http://www.houseimm{removed}.it/php/del.php
• http://icomiarr{removed}.net//del.php
• http://www.ihp-e{removed}.be/espoir/wii.php
• http://www.hw{removed}.com/modules/wii.php
• http://www.group{removed}.com/gosier//images/people/wii.php
• http://www.f{removed}.at//newpics/tr/up7.exe.bak
• http://mox{removed}.vn//images/up7.exe.bak
• http://www.flc{removed}.com.tw/html/up7.exe.bak
• http://www.marath{removed}.com//images/sd/up7.exe.bak
• http://www.ecuriesdupa{removed}.com//agb/config/up7.exe.bak
• http://www.designs{removed}.com/portfolio/we/up7.exe.bak

The links are used for receiving stolen banking credentials from the Trojan.

Lupita.exe uses the following icon:

After reboot and an undertermined period of time the Trojan (Lupita.exe) will spawn a BBVA bank login page in place of the Windows desktop background. The page cannot be closed unless the process is killed:

In an attempt to appear legitimate, the page contains genuine warnings about online banking security. One warning roughly translates to:

• "If you get a few emails or enter a screen where you apply all your card numbers secure password, do not give any help and contact information online at 600 600 1100"

The page does however ask for your BBVA bank logon credentials. This information is posted to a remote webserver:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Banker.SKQG (Trojan)
• GAV: Dapato.HEM (Trojan) (Trojan)

SonicWALL UTM Research team received reports of a rogue android gaming application spreading in the wild. The rogue application is a modified version of a legitimate game available on the android market. The modified application was found spying on call logs and text messages. SonicWALL advices users against installing applications from untrusted sources and to be wary of applications that request for suspicious permissions.

When the rogue application is downloaded and executed, it requests for the following permissions:

It performs the following activities when installed:

• It stores calls logs and text message periodically to the following locations

• The contents of the files storing call logs and text messages are shown below:
  • zjphonecall.txt:
    

    

  • zjsms.txt:
    

    

• It ensures service is started on reboot of the phone

• It scrounges device information
  • Grabs IMEI, IMSI and SIM number
    
• It uploads collected data to a remote server
  • http://{removed}.net/zj/upload/UploadFiles.aspx

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature: