Español | English
rss facebook linkedin Twitter

Trojan.Dionizos targets both Firefox and IE users

According to Mozilla they recently count over 270 Million Firefox users now. The fact that Firefox is becoming more and more popular inspires hackers to extend their territory in the hope of doubling their number of victims. Everybody has heard of Trojan.ChromeInject a Trojan that poses as a Firefox plugin in order to harvest logins from about one hundred different banks. We can expect and have to be prepared in the future for more threats and fuss around Firefox. Remember the TODO list of ZeuS? One of the lines on the list dissects interception of Firefox 3+. Statistics also confirm Firefox is at least as popular as Internet Explorer:

Browser Statistics Month by Month
2009IE7IE6IE8FirefoxChromeSafariOpera
May 21.3%14.5%5.2%47.7%5.5%3.0%2.2%
April 23.2%15.4%3.5%47.1%4.9%3.0%2.2%
March 24.9%17.0%1.4%46.5%4.2%3.1%2.3%
February25.4%17.4%0.8%46.4%4.0%3.0%2.2%
January 25.7%18.5%0.6%45.5%3.9%3.0%2.3%
Source: http://www.w3schools.com/

Trojan.Dionizos is just yet another banking Trojan that would like to benefit from Firefox users. It installs two malicious DLLs, one for Internet Explorer, and another one for Firefox if it presents on the system. We focus now on the Firefox DLL, the IE DLL is not really something new (installed in the registry as a Browser Helper Object).

If we can believe the TimeStamp, the binary was created at 14:17:21 in 02/09/2008. However its detection rate is still very low, 4 out of 40. See anti-virus scan results:

File name: nsFlash.dll
File size: 45568 bytes
MD5: 0f9c9428abda8836e2d699239640b405

Vendor
Description
a-squaredTrojan-PWS.Dioniz!IK
AntiVirTR/PSW.Dioniz.45568
McAfee-GW-EditionTrojan.PSW.Dioniz.45568
PrevxHigh Risk Worm
Full scan result here

The Trojan was written in full C++, using the Gecko/XPCOM interface, which concept is very similar to Microsoft's COM/OLE model also favourited by malware authors to create malicious plugins and BHOs for Internet Explorer (Browser Helper Objects). Talking about Firefox, the Trojan attaches itself to the following provided interfaces:

@mozilla.org/XPCOMSystems/UrlParser;1
@mozilla.org/XPCOMSystems/StreamConv;1
@mozilla.org/cookiemanager;1
@mozilla.org/io/string-input-stream;1
@mozilla.org/observer-service;1
@mozilla.org/categorymanager;1
@mozilla.org/streamconv;1

The most important one is the observer-service interface. It notifies the Trojan about various events happening in the browser such like a form submission occurred, an URL just has been opened, etc.

To ensure its survivalence and be able to loaded each time the browser is started, it does the following trick (which seems to be a legit way to register a component indeed). First, the malicious DLL is placed into the directory:

C:\Program Files\Mozilla Firefox\components\nsFlash.dll

After that, the files xpti.dat and compreg.dat are going to be deleted in these two subfolders:

C:\Program Files\Mozilla Firefox\components\
C:\Documents and Settings\[user name]\Datos de programa\Mozilla\Firefox\
Profiles\[random chars].default\

In the last path of the above two, the random characters within the Profiles folder cannot be guessed by the Trojan, so it attempts to do a recursive search.

Deleting these .dat files is harmless, Firefox upon start, regenerates them automatically. And that’s the point how the Trojan achieves to get registered into Firefox. When the browser is launched it does a search for available components and it will recreate the database files (xpti and compreg.dat). The newly generated .dat files will include nsFlash.dll as a registered component. See a snippet from compreg.dat:

File: compreg.dat
Generated File. Do not edit.

[HEADER]
Version,0,5

[COMPONENTS]
rel:nsSafebrowsingApplication.js,1212071050000
rel:nsTryToClose.js,1212071050000
rel:nsBrowserGlue.js,1212071050000
rel:aboutRobots.js,1212071050000
...
rel:nsFlash.dll,1242384082000
...
[CLASSIDS]
{bfc310d2-38a0-11d3-8cd3-0060b0fc14a3},,application/x-mozilla-static,,nsLayoutModule
...{1c8cbc42-c647-4fc7-a282-6e618dce8bfc},,application/x-mozilla-native,,
rel:nsFlash.dll
...

An interesting fact is that the author made a check for previous infections by a simple evaluation if a given filename already exists. This lets us know what other filenames already are being in use, here is the list:

\components\nsHelp.dll
\components\nsHelper.dll
\components\ExtensionManager.dll
\components\nsSidebar.dll
\components\nsDebug.dll
\components\nsFlash.dll

The Trojan's workdirectory is System32\spool\, Dionizos stores here its data and configuration files among some printing related legit files which are also stored there by the Operating System. The abused filenames are:

System32\spool\c.ini
System32\spool\desktops.ini
System32\spool\printer.dat
System32\spool\dr.ini

There are four domain names related to this binary, each of them are base64 encoded in the binary:

C&C Servers of Dionizos
Y29uc3RlbGxhdGlvbnMud3M=constellations.ws
aS1wbGF0Zm9ybS5jbg==i-platform.cn
bGl2ZWFydHMuY2M=livearts.cc
YXN0cm8tcGh5c2ljcy5jYw==astro-physics.cc

During the communication with the C&C server, Dionizos sends a version parameter in the GET/POST messages like &ver=Dionizos_xml. Although we have observed a few more differing versions, but very likely this string was the hint in choosing the Trojan's name Dionizos:

Dionizos versions
Dionizos_xml
Delta-v2s_PG_scrn_XML
v99_3i_pg_XML

Dionizos functionalities are:
  • Deactivate Kaspersky anti-virus and Comodo Firewall
  • Alter and grab HTTP/HTTPS traffic
  • Steal certificates, saved passwords, cookies
  • Steal POP3 and Webmail passwords
  • Screen capture facility
  • Download and execute file
  • Kill the OS
  • List of processes
  • List of services
  • List of auto-run applications
Dionizos we are keeping our eyes on you!

Jozsef Gegeny
S21sec e-crime

0 comentarios:


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login