Home / malwarePDF  

TrojanProxy:BAT/Banker.E


First posted on 16 November 2012.
Source: Microsoft

Aliases :

TrojanProxy:BAT/Banker.E is also known as BAT/Spy.Banker.AJ (ESET), BAT/Disabler.dropper (AVG), Virus.BAT.Disabler (Ikarus).

Explanation :



TrojanProxy:BAT/Banker.E is a trojan that redirects your web browser so that when you attempt to access certain websites you are redirected to malicious sites that attempt to steal or "phish" your information.

To accomplish this, TrojanProxy:BAT/Banker.E modifies system and browser settings that may leave your computer unsecured.



Payload

Redirects websites

TrojanProxy:BAT/Banker.E may redirect safe websites that contain the following strings in their URLs to "brasil.faceimagens.blog.br:80" for phishing and/or information-stealing activities:

  • americanexpress
  • bancobrasil
  • bancodobrasil
  • bancoitau
  • bancosantander
  • banese
  • banespa
  • bb
  • bnb
  • bradesco
  • bradescoprime
  • brb
  • citibank
  • credicard
  • hsbc
  • intouch.unitfour
  • itau
  • itaupersonnalite
  • santander
  • santanderempresarial
  • serasaexperian
  • sicredi
  • tam
Modifies browser settings

TrojanProxy:BAT/Banker.E modifies browser settings that assist it in its malicious activity by making a number of registry modifications.

It provides and loads a file (via a server) that may contain configuration settings for Internet Explorer:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "AutoConfigUrl"
With data: "top3.msnbrasiltop.com"

It ensures that Internet Explorer uses the HTTP 1.1 standard, possibly to ensure sites that you are redirected to are displayed properly on your computer:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "EnableHttp1_1"
With data: "1"

It disables the option to specify your own proxy for connecting to websites via a LAN (local area network), and ensures that it uses the HTTP 1.1 standard for proxy connections:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyHttp1.1"
With data: "0"

It hides the Advanced tab in the Internet Explorer options window:

In subkey: HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "AdvancedTab"
With data: "1"

It disables the ability to restore your home page and search sites to their defaults:

In subkey: HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "ResetWebSettings"
With data: "1"

It forces Internet Explorer to use configuration settings provided in a file:

In subkey: HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "Autoconfig"
With data: "1"

It also changes settings for the Mozilla Firefox browser by making the following modifications in the preferences file "%APPDATA%\Mozilla\Firefox\Profiles\prefs.js":

  • user_pref("network.proxy.autoconfig_url", "hxxp://top3.msnbrasiltop.com");
  • user_pref("network.proxy.type", 2);


Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\APPDATA\Roaming".

The trojan also deletes content in the following folders that may be related to security settings for the Internet Explorer, Mozilla Firefox and Google Chrome web browsers:

  • %APPDATA%\Microsoft\Windows\Cookies
  • %APPDATA%\Mozilla\Firefox\Profiles\*sqlite
  • %LOCALAPPDATA%\Google\Chrome\User Data
  • %LOCALAPPDATA%\Microsoft\Intern~1
  • %LOCALAPPDATA%\Microsoft\Windows\History
  • %LOCALAPPDATA%\Microsoft\Windows\Tempor~1
  • %LOCALAPPDATA%\Mozilla\Firefox\Profiles


Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local".



Analysis by Stefan Sellmer

Last update 16 November 2012

 

TOP