VBKlip 2.0: no clipboard, but Matrix-like effects

In the last few weeks we received information about a new kind of malware, similar to the VBKlip malware family. However, while reading these incident reports we got a bit of a science-fiction feeling. Users described that they went to the e-banking site and they tried to perform a wire transfer. When they pasted the account number, they saw that it was different than the one they copied. They thought they became infected with the VBKlip and they decided to write the bank account number manually, without the clipboard. When they entered the bank account number it changed “right before they eyes”. This was similar to the famous Matrix animation with green, changing digits. Thanks to one of the reporters we were able to analyze a sample of this malware and see that in fact it did change the bank account number, even if it was entered manually. We decided to call this malware “Banatrix”.

Malware startup – DLL unpacking

The sample that we were able to obtain was gaining its persistence by creating a Scheduled Task in the Windows operating system. This is different from the standard way of adding yourself to the Windows registry, under the autorun key. Malware installed itself in the CommonAppDataFolder (e.g. C:\Documents and Settings\All Users\Application Data in case of Windows XP).

Malware also has to have a .windows.sys file in its folder. This file is an encrypted DLL file, which is loaded when malware starts. This library is responsible for all of the network communication and BAN substitution. Main PE file is just a loader and unpacker. DLL was also encrypted again, with a different key, which was then written to the same file. This was probably done in order to prevent the simple fingerprint blacklisting.

This technique is fairly effective, because none of the antivirus solutions in Virustotal website were able to detect main malware file as malicious:

Inner workings

The method used to switch the BAN is simple, yet novel. This time malware does not monitor Windows clipboard. Instead it iterates over all active processes (using CreateToolhelp32Snapshot and Process32Next) and searches for one of the processes with name from the list below.

chrome.exe
iexplore.exe
IEXPLORE.EXE
firefox.exe
opera.exe

If it finds such process it then scans its memory searching for 26 digit string (with or without spaces). If it finds such string, it overwrites the string with the one obtained from the C&C server. This creates the “right before my eyes” effect. YouTube clip below presents this behavior.

Am I infected?

It is fairly easy to see whether you are infected or not. We have prepared a small test for you. First, close all other web browsers. It is best if you use Mozilla Firefox for this test. Then, you have to wait about 2 minutes. It sometimes helps if you right click on this website and choose “View page source” and then close the pop-up window. If the two bank account numbers presented below are now different then you are surely infected. However, if you pass this test, it does not guarantee that you are clean. Details on why it may be so are presented in the next paragraph.

30 1234 1234 1234 1234 1234 1234

If you are infected, please contact a professional computer service, which will help you with the malware infection. We also advise to send the upper, different bank account number to us using the “Report incident” form on the right.

Bugs in the malware

This malware uses only one thread. This means that it will only choose one browser process to monitor. If victim uses two web browsers, only one will be affected by the BAN substitution. “Second” web browser won’t be affected. We use “second” in quotation marks, because it may not be the web browser which was run later, but only one of the two.

Next bug, also connected with the lack of threads, is that the application can only be in one of the two states at the time. It either updates itself or substitutes BANs. It will never change BAN if an update is in progress.

Because memory pages are quite large, searching for the 26-digit string can be quite ineffective. This results in lags in the malware code, which means that sometimes the bank account number is not replaced. It is also possible, due to the memory layout, that some account numbers will be replaced, while other remain unchanged. This is due to the technique used in this malware.

Summary

It has been almost a year since we first heard about the VBKlip. Since then it has evolved a lot – there were copycat authors (writing in .NET), it started to use C&C and it gained a keylogging functionality. New version, Bantrix, is just another step in this malware technique evolution. What is troubling is that, with a correct timing, malware can even change the bank account number as late as with the POST request construction in the browser. This means that sometimes users can be unaware of the change.

We also informed on our Twitter that there is a similar malware, which replaces the Bitcoin address in the Windows clipboard. This means that this technique becomes more and more popular and we can expect it to be incorporated in other malware families.

Tags: , , , ,

Comments are closed.