As a followup to our early Jan Bredolab email blast warning, this post presents technical details and functionality about the payload accompanying the delivery notice + invoice attachment. While past posts have described the downloader’s windows api hook overwrite functionality, related social engineering techniques, its Zbot and FakeAv downloads, this post identifies a different injection and banking password stealing payload.
The Bredolab downloader variant repeats the same exploits to bypass security apps and perform “hook overwrites”. It abuses the same exploits as our previous variant; MS07-017, MS08-025, CVE-2004-2339. These hook overwrites are performed across the dropper threads and all injected threads (within explorer.exe and svchost.exe) with a simple comparison and copy: rep movs dword ptr es:[edi], byte ptr ds:[esi].
After the injection into explorer, the malcode reports its installation and retrieves info at dollardream .ru, dropping a tmp file to disk and running it. Following the connection with dollardream. ru, the new process creates a directory under users\application data\microsoft\windows and the mspdp<number>.dll, making the dll a persistent presence on the system with an AppInit_dlls registry entry. After the dll and reg key have been created, it deletes itself and calls InitiateSystemShutdown, restarting the system.
Because this DLL maintains an entry under the AppInit_DLLs registry key, it reliably will load into each process running on the victim system’s, including all web browser processes. At dll load time within Internet Explorer, for example, it hooks a dozen different windows API prologues. The malicious code is precisely placed to be reliably notified when data important enough to be encrypted is being sent off of the machine. It intercepts and examines all user data prior to encryption. When data being sent over http is examine, the code first performs a hash comparison on the HTTP headers to identify “interesting” Urls. These approximately 25 “interesting” Url strings are all banking and financial account related, except for a couple social networking and photo share web sites. Here is a view of the code locating content within the raw packet data, after a user has typed their username/pass and clicked on “Login”:
Once the malcode parses the data stream and identifies interesting locations within the stream, it retrieves the input data (i.e. banking user names and passwords), and immediately writes the sensitive data out to file. The file is placed in the same subdirectory as the dll itself, in our lab example: “all users\application data\Microsoft\Windows\Network\Network\mspdb80.dll”. This “.dll” file extension and name choice mimics that of a legitimate file distributed with Visual Studio, and instead contains the stolen login data in plain text. This content is gathered and sent off the system to a server hosted in Russia in the 109.196.143.xx range…
As you can see, it is very important to pay attention to the attachments that you attempt to open, and whether or not they are malicious executables or just look like a harmless spreadsheet.
Update (2/10/2010): appears that other researchers are interested in alerting the public as well, only their February writeup includes interesting details that ACH and wire transfer institutions are targeted by the dll, in addition to what was posted above.