ViRobot

Security Info

  • Security Center
    • HAURI Security Report
  • Security Dictionary
  • Security Service
  • Free Download!!

HAURI Security Column

Security Column

  Title File Date  
The appearance of new pharming malicious code using VPN tunneling -- 08/19/14

 


[Summary]
Recently, new malicious code that performs pharming of internet banking using VPN tunneling has been discovered. It uses encrypted communication via VPN, and it steals financial information(ex: certificate).

 

[Details]

1. intt.exe
1) It decrypts a specific string by a single bite XOR operation.


[Decryption logic]

 

[The string that is used for decoding: x0c39pe]

 

[Before the decoding]

 

[After the decoding]

 

2) It creates a specific service using the decrypted string.
[Service name: V3Safer]

 

3) It decrypts strings using same way of [1-1].
[Before the decoding/After the decoding]

 

[Before the decoding/After the decoding]

 

4) It creates registry key and values related with a service using the decoding string.

 

5) It reads binary(named 0x65) of resource section and then saves it as a file in specific path.
[Reading the resource section]

 

6) It decrypts a specific string by a single bite XOR operation.
[Decryption logic]

 

[The string that is used for decoding: sdf3xdi]

 

[Before the decoding/After the decoding]

 

7) It creates a specific service using the decrypted string.

 

8) It starts service of V3Safer.

 

 

 2. V3Safe32.dll
1) It checks status of a service and then creates a thread using a specific service name.

 

2) It creates a Mutex to prevent duplicate executions.

Mutex name :  ___WOKD_WRW_0376_


3) If it detects anti-malware products, it remove the products. 

 

4) It decrypts encoded string, and it checks specific URL.

 

 

5) It reads a file in specific path.
Path: (Program folder)Common FilesPluginsFtpindex.txt

 

6) It accesses a specific URL and read a file, but it cannot access normally now. 

 

 

7) If it accesses the URL normally, it downloads and run additional files.

 

8) In order to steal financial information, it modifies hosts file and hosts.ics file.

 

9) It calls functions of the dll files using Rundll32.exe and watches all processes. This is the way to get control privilege for all processes in System.

 

10) It searches specific processes.
[Process name: explorer.exe]

 

11) It checks information of internet explorer by registry information.

 

12) It checks running status of internet explorer using the window name.

 

13) It checks the website of internet banking on the list whether it accessed through internet explorer.

 

14) If it detects connections for a specific website, it connects VPN.


It accesses a specific URL and gets IP information of the infected PC.

 

 

15) It checks NPKI string in System, and it steals the file.

 

It decrypts encrypted data, and it decrypts network address and access information for uploading the collected NPKI file.

 

[Decryption logic]

 

[Detection list by ViRobot]
Trojan.Win32.S.Agent
Trojan.Win32.S.Agent 

List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap