Brazilian banks are once again in the hotseat as a banking Trojan emerges with a new technique. This time, the cybercriminals targeting these banks are using GMER, a popular anti-rootkit application. Trend Micro detects this banking Trojan as TROJ_DLOAD.BB. Upon execution, this Trojan downloads a legitimate copy of GMER and a malicious rootkit component detected as TROJ_DAMMI.AB.
TROJ_DLOAD.BB creates a batch file that terminates the processes related to the G-Buster Browser Defense, a security program used by many Brazilian banks as protection from information theft and as protection of customers’ privacy during online transactions. Without this application, the information relayed in these transactions may be exposed to malicious users and can be used for fraudulent activities later on.
The batch file created by TROJ_DLOAD.BB uses GMER’s -killfile option, TROJ_DLOAD.BB terminates GBPlugin and its components. TROJ_DAMMI.AB is then rendered as a rootkit and service to make sure that any instance of GBPlugin is terminated.
Trend Micro protects users via its Trend Micro Smart Protection Network that already blocks the download URLs and detects the related malicious files. Non-Trend Micro users can use HouseCall, Trend Micro’s free scanner for identifying and removing malware.
Update as of 20 October 2009, 17:00
Aviv Raff, one of our partners from RSA, confirmed this kind of approach that cybercriminals use in malicious routines. He stated that GMER is not the only malware removal tool utilized by cybercriminals. Another tool, called The Avenger, has been used to terminate GBPlugin. The Avenger is the work of a security researcher who uses the alias Swandog46. As his website states, The Avenger is a powerful program, which doesn’t make it hard to imagine the tool being misused. And true enough, the cybercriminals did.