Anatomy Of A Phishing Trojan

Phishing emails don’t need to be sophisticated to lure the unwary. Indeed, there’s some evidence those behind the more convincing looking emails masquerading as bank emails are also behind a spate of key-logging trojans, which use basic methods to fool the recipient into making them active.

Australian Daniel McNamara of anti-phishing website Code Fish has found a new trojan that does a scary amount of work; he believes it’s the same phishing gang which recently launched attacks against his website and which targeted Westpac and ANZ banks. The emails themselves contain no special tricks, just plain text mentioning something newsy about Australia and offering a link to read more.

In this case it’s not the emails themselves that are sophisticated (in fact, their very simplicity may be the lure); it’s the website they link to (the website in question, apparently, is a cracked Windows XP machine sitting on a broadband link in Canada). All the user sees there is a blank page, whereas in fact, for unpatched Internet Explorer users, the website quickly uploads a trojan into the user’s computer using a Java applet built into the web page. All it takes is a second, and all the user might see, if his eyes are quick, is a message appearing for a few seconds in the status bar at the bottom of the browser window: “Applet intialising..” Now his computer is infected.

It’s worth taking a look more closely at the payload, courtesy of Daniel’s groundbreaking sleuthing. The trojan copies the contents of a file to the Windows directory. It then creates an executable file, which is then launched. It creates a subfolder in the Windows directrory called “ijn” in which it then places two files, nm32.exe and mn32.dll. The executable is then deleted. A small text file is created in the same directory.

This is all so well-hidden from view only a real expert could know it was going on. As far as Windows is concerned the trojan and the directory it created doesn’t exist, even in the Windows Task Manager, even with “show hidden files/directories” turned on. As Daniel says, “somehow the trojan has set up a ‘screen’ so that the overlying Windows GUI denies their existence. Judging from what we found out later it’s because it’s managed to place some hooks into Explorer that allow it to basically become invisible to the average end user.”

Behind the scenes, however, the trojan is busy. As soon as a user visited an Australian banking site it will log all keystrokes to a file, in the same directory, called “kbd.txt”. The results are then emailed to a server in Russia. The ps.txt file, the other file created by the trojan, is delivered via FTP — a standard to send one file from one computer to another over the Internet — which appears to include, Daniel says, passwords stored on the victim’s computer, including those for Outlook Express, AOL and possibly Microsoft’s Passport. The FTP site is hosted on a computer belonging to a web hosting company in the U.S.

In other words, this trojan not only captures your banking passwords, it also trawls around for any kind of passwords on your computer that may prove useful.

So who’s behind it? There are a couple of clues: The email appears to be delivered to a Russian email address (server@mail.ru). There’s also a snippet in one of the files that would seem to indicate the author, or someone involved in the trojan’s creation was Russian, or at least East European.

There are a couple of points worth making here:

  • The weekend attack: These attacks happen too quickly for anti-virus companies, but particularly if they hit at weekends. Daniel says he spotted the trojan on Friday night, but said the website that supported it was not working until midday Saturday, Eastern Australia time (This is Friday afternoon/evening, U.S. time). Within an hour or two he had heard from one person was infected after his anti-virus software failed to stop it. Daniel says he forwarded the trojan to the anti-virus companies late Saturday (Australian time), but so far there’s no sign they’ve updated their libraries, or posted a warning.
  • Phishers are not just after your bank details. They could also make use of your other passwords — remember, the trojan loading website was on a hacked broadband computer (probably a home computer) in Canada, which may or may not have been hacked into. The FTP site was a on a legitimate web hosting server in the U.S., where an account had been hacked into.
  • Phishing is not just fancy graphics. Phishing is about social engineering, but it can be primitive, and still successful. This was a plain text email but with enough appeal to get someone to click on the link. (Indeed, with public awareness of the more sophisticated phishing attacks growing, this may be a deliberate move on their part.) Daniel’s convinced the people behind this one are behind others: He points to the fact they use exactly the same technique to upload the trojan as in previous attacks on Westpac and ANZ customers.
  • Sophistication This trojan does add some elements to the mix that show how, with every attack, the folk behind them get smarter. There’s really no evidence this trojan has gotten onto your computer and resides there unless you take a real, close look.

Bottom line: Phishers use lots of different methods, and lots of different tricks, to get a broad range of information out of you. And, if they hit at weekends, anti-virus companies may be asleep at the wheel, so don’t rely on them.

28. March 2004 by jeremy
Categories: Malware | Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , | 1 comment

One Comment

  1. OK apparently I have this virus – on my MSConfig Startup thing it shows nm32.exe under it….do we know how to get rid of it yet?