Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    The year might be coming to a close but we’re still seeing our 2013 predictions come true. We encountered an attack that featured an old malware with new routines. This malware, detected as BKDR_SINOWAL.COP specifically attempts to disable the Rapport software from Trusteer.

    Figure 1. Code that looks for the Trusteer Rapport module

    Rapport is software that protects users from phishing and man-in-the-browser (MitB) attacks. It is frequently provided to users by their banks to improve their security. If the attacker succeeded in disabling Rapport, users would be more vulnerable to man-in-the-browser attacks, which are frequently used by banking malware.

    A side note: we have been in contact with Trusteer regarding this threat, and they have confirmed that it does not succeed in disabling Rapport, so users are not at increased risk.

    However, BKDR_SINOWAL.COP does not have the ability to perform MitB attacks by itself. This means that it requires a plugin component or another malware to successfully perform this type of attack.

    Feedback from the Smart Protection Network shows that the attack arrived as an email attachment. This attachment is a compressed file which contains a variant of BKDR_ANDROM malware, detected as BKDR_ANDROM.LSK. This malware will drop and execute both the SINOWAL malware and TSPY_ZBOT.IRF.

    Figure 2. SINOWAL routine

    Knowing this, we can say that the attacker intended to make ZBOT’s MitB routine (via web injects) more successful by using BKDR_SINOWAL’s capability to disable software that prevents that specific attack.

    This threat shows how different threats can work together to increase their effectiveness in carrying out their malicious activities, like stealing information. We already detect the malware associated with this attack.

    The following are the SHA1 hashes of the files that are related to this threat:

    • 1888306B7A47CB2A0EE88529D9C0C55D5E43A870
    • 494F4902437F446C7C4178672489980889111CC1
    • 9DFB7E2EF011B537ED0238FA64058AFB7340EA27
    • B6598BB118F903175FFE5914A28F7D2E03BF471F
    • C9D153A22E75F30F4246F6B4E730D8CF5E33A333
    • FABCDC9564E1E7D59C406969C871C6C53652284E

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice