Your browser is obsolete!

The page may not load correctly.

Banknote thieves

Похитители дензнаков

Other issues in this category (8)
  • add to favourites
    Add to Bookmarks

A Russian nesting doll for criminals

Read: 8695 Comments: 3 Rating: 46

Thursday, February 23, 2017

Everyone knows that the more urgent a news story is and the scarier its headline looks, the more people are interested in reading it. Viruses and Trojans have become familiar to the point of being boring—who, except specialists, is going to read a news story about a new virus? And, what if it’s a story about Crimeware?

Crimeware is malware that is designed to automate cybercrime involving the theft of money. It combines features of banking Trojans, spyware, and hacking tools.

This sounds ominous. But, as always, the truth is never far away.

Crimeware installed on your computer can:

  • monitor connections to a banking system to intercept sensitive information—logins and passwords;
  • intercept and replace your payment details at the moment they are being entered or when the data is being transmitted to the bank;
  • modify confirmation SMS.

According to Dr.Web classification, such programs can be classified as banking Trojans—they definitely are of a malicious nature, and the user does not have to make any special changes to the anti-virus’s settings to remove them.

Banking Trojans threaten all major operating systems; we could describe them endlessly, so let's consider just one example:

The main purpose of Trojan.Bolik.1 is to steal confidential information. The Trojan can execute this function by several means. For example, it controls data transmitted by Microsoft Internet Explorer, Chrome, Opera, and Mozilla Firefox to steal information entered into input forms. Furthermore, this malicious program can take screenshots and perform keylogger functions.

According to this description, it's a typical Crimeware program. But upon closer examination:

Trojan.Bolik.1 is a polymorphic banking virus. In addition to possessing self-spreading features, it can modify its code each time it runs.

A criminal-initiated command activates the self-spreading function, after which Trojan.Bolik.1 starts checking for open-for-write folders in Windows Network Neighborhood or on the USB devices connected to it, searching for and infecting any executable files stored within them. Each such virus contains Trojan.Bolik.1 in an encrypted form and other information the virus needs.

Maybe, when creating this Trojan, the virus writers were inspired by the Russian nesting doll principle.

Polymorphic malware deserves special mention.

So-called polymorphic malware programs are programs that modify their code each time they run or on the fly. Signatures cannot be used to detect them—they simply do not contain any distinctive section of code that can be selected and added to the virus database.

Only special technologies can detect polymorphic malware. The Dr.Web Anti-virus was created in response to the emergence of the first polymorphic malware programs. An anti-virus of the previous generation developed by Dmitry N. Lozinsky was not able to detect them.

If a user runs the infected program, the virus decrypts Trojan.Bolik.1 and launches it right in the computer’s memory, without saving it to the disk. The virus has a special built-in mechanism that allows it to instantly change its code and the part of its structure responsible for the decryption procedure, which helps the virus remain unnoticed for as long as possible. Moreover, Win32.Bolik.1 tries to hinder the operation of anti-virus programs that can execute malicious applications in a special emulator by implementing specific techniques consisting of different loops and repetitive instructions.

In other words, this Trojan is not even stored on a disk—essentially, it’s bodiless; it doesn’t exist as a file. As a result, a file monitor can’t detect its activity. The Trojan can only be detected by the anti-rootkit—a special Dr.Web anti-virus component that scans running processes.

Furthermore, Trojan.Bolik.1 creates its own virtual file system, which it stores in a special file. Thus, the analysis of the files stored by the Trojan cannot be viewed by anyone!

Trojan.Bolik.1 inherited a mechanism for performing web injections, which cybercriminals use to steal online banking application logins and passwords and other private information from their victims.ю.

Unfortunately, the anti-rootkit is not able to check every change made to a process. Therefore, to immediately detect that a web inject has infiltrated a process, the Dr.Web Anti-virus uses a special module that controls changes occurring to processes on the inside. So, no matter what a malware program is called, it will be detected by the Dr.Web Anti-virus.

#malware #terminology #Trojan #Dr.Web_technologies

The Anti-virus Times recommends

  1. Decades of development go into training an anti-virus to protect a system against complex threats. Technologies that eliminate complex malicious programs are not created perfunctorily. That is why all the major players on the anti-virus market appeared more than 20 years ago. There has subsequently arisen a multitude of "marketing" anti-viruses that lease engines from well-known brands and have never been engaged in the development of technology. But, how can ordinary users know that? That's why they migrate from one anti-virus to another in search of a "miracle", instantly switching from any anti-virus that misses a threat to another one—and they can’t be blamed for doing so.
  2. Forget the days when the number of records in an anti-virus database determined the quality of anti-virus detection: anti-virus technologies (that sometimes don’t even have names) run the show


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.