Published: June 29 2009, 02:37 PM
by Aaron Faloon

This week in CA Research Labs as we were receiving new variants of the popular Bancos Trojan we were able to make a successful attempt at tracing one of these variants back to its distribution point.

This distribution point is a web server located in the state of New Jersey in the United States of America. The web server is associated with a local school in the area and is used to host it’s website to the public.

An interesting point to note is that the school is presently closed for maintenance and equally important the school has dismissed for the summer.

Was this timing intentional by the malware authors in order to go undetected by the people involved with monitoring the schools website and network or purely just coincidence?

[Figure 1 - School Website hosted on web server]

 

[Figure 2 –Bancos Malware stored on compromised web server]

As well as hosting the schools website we can see that the compromised web server is also hosting Bancos malware. Here we can see the malware files that are stored in the directory on the compromised web server. These files are used to resemble legitimate banking applications in order to fool the user into entering their banking information which is then stolen by the attackers.

Anatomy of the Attack

[Figure 3 – Anatomy of the attack]

Step 1 - The Users machine gets infected by one of the Bancos download agents. These agents are detected by CA as Win32/Bancos.ORU and Win32/Bancos.ORV.

Step 2 - The infected machine will now automatically connect to the compromised web server under control of the download agents.

Step 3 - Once connected to the compromised web server the download agents will download Win32/Bancos.ONW onto the user’s machine.

The system is now infected with a Bancos Trojan which can steal sensitive information relating to the users banking habits.

Here we can see the download agents (Win32/Bancos.ORU and Win32/Bancos.ORV) contacting the compromised web server in order to download the Bancos Trojan onto the users system.

[Figure 4 – Contacting the web server and downloading files]

We can see from Figure 4 that an executable (sidebr.exe) and an image file (c1.bmp) are downloaded to the infected user’s machine. Many more files are downloaded to create the Bancos Trojan application. A few of these files can be seen in Figure 2.

CA currently detects the downloaded Bancos Trojan as Win32/Bancos.ONW.

CA also recommends keeping your security software up to date in an attempt to avoid this infection of Bancos Malware taking place on your system.

We have also notified the administrator of the compromised web server regarding this issue.

Please read our blog on Banking Trojans - Tips and Tricks for more information on the Bancos Trojan.

Share this post:  Email

Share