Inside the Password-Stealing Business

Today Avert Labs has published a new research paper, “Inside the Password-Stealing Business: the Who and How of Identity Theft.” With so many financial transactions occurring online today, stealing passwords to banks and other accounts is an irresistible attraction for cybercriminals. Thieves around the world use Trojans and other malware to grab user credentials, which they can resell to their crooked clientele while supporting their own illegal businesses.

Our report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families such as Zbot, Sinowal, and Steam Stealer. We also discuss the prevalence of such malware, distribution channels, how criminals keep up with the changes banks make to keep transactions secure, and how they exploit today’s economic climate. Offering illegal “work at home” opportunities to desperate job seekers is one way criminals lure the unsuspecting into furthering their illegal activities.

You’ll find our report here in English and eight more languages.

Want to peek inside another one of these infamous password thieves? Let’s have a look at SilentBanker.

Our story starts with browser helper objects (BHOs), which are plug ins for Internet Explorer. BHOs give developers the opportunity to extend the browser’s functionality without their having access to the browser’s source code. That doesn’t sound too bad, as users aren’t forced to rely on the browser’s developers to implement new features. Even if you’re not a developer, it’s seems useful to download any desired extension, whether you want to customize the user interface or be able to read PDF documents directly in the browser, isn’t it? Well, yes and no! The answer depends on the trustworthiness of the BHO’s author, the server you download from, or the DNS server. Unfortunately, not all BHOs are safe applications””the bad guys are always looking for ways to turn originally useful features into a way to deploy their malware, hunting for usable information such as credentials. Silentbanker is one of those nasty password-stealing malware that comes in the form of a BHO.

This is one “helper” you don’t want on your side: Once installed and automatically loaded by the browser, Silentbanker can interrupt communication between your browser and the Internet! The malware is highly configurable and targets online banking users. Silentbanker will not only recognize and monitor online banking activity but may also modify HTML pages to include additional code or to change a transfer’s details. The data thief acts as a “man in the middle” to inspect and modify data before it is encrypted and sent to a server and after it is received from the server and decrypted. Still think you’re secure with SSL? Unfortunately that’s not the case with this freeloader sitting on top of the browser.

The screenshot above shows a pseudocode representation of Silentbanker’s malicious core. The code is responsible for detouring relevant operating system functions to its own malicious routines. This malware effectively kills security applications such as host intrusion prevention systems and others. Before its own malicious detours are installed, the malware disables any previously installed detours by reading a Windows library’s original code from the hard disk (“read_whole_file”), and then mapping it back to the process’ memory (“remove_API_hooks”)””thus rendering security products relying on the same technology ineffective.

Be sure to run McAfee VirusScan and Artemis, and McAfee Gateway Anti-Malware within your corporate network to protect your systems from password thieves.