Curious phishing/rootkit modifies banking webpages in-line, requesting full password.

[Carl Farrington]

Curious one this. The infected computer works fine, however banking websites, which show the correct url and whose certificates appear fine, have an additional textbox asking for the full security phrase, instead of just various digits from the security phrase.
I tried Lloyds, Rbsdigital.com and Hsbc personal banking, all showed these symptoms. DNS resolution of the sites appear correct.

Has anybody seen this before? I have the files in a password protected 7z archive.


Here's the analysis results for one of the .dlls, called through Run -> rundll32. Doesn't look good for detection rates.
~All Virus Total links removed per Policy.~


Here are the results for twext.exe, which I've come across many times before. Called through Winlogon -> Userinit.
~Snip~

c:\windows\system32\a.exe , doesn't appear to be called from anywhere that I've noticed yet, but obviously suspect filename and file date:
~Snip~

c:\windows\system32\userinit32.exe , called via addition to Winlogon > Userinit, hidden from Windows API and only visable with icesword, but registry modification was re-creating itself after removal. File timestamp on this one is 2004-08-11 , same as most stock XP files.
~Snip~
Microsoft Antivirus (whatever that is) misses this one.

c:\windows\usebexuyiruburu.dll - can't remember where this was called from. Think it was HKCU -> Run, whereas others were HKLM -> Run
~Snip~
Again Microsoft Antivirus does well while nearly all the other 38 antivirus programs fail.

NOD doesn't find a thing.

Is it time to switch to Microsoft Antivirus?

One of the staff at the client has convinced the infected chap that "Spybot would have found that", and that I should have run Spybot. (I take that to be Spybot S&D) I used icesword, gmer, hijackthis and virustotal.com. He'll probably run Spybot S&D, find a couple of tracking cookies and tell me he told me so!

I have nothing against Spybot S&D but it's long winded and unlikely to be of much use against rootkits and things that generally put themselves back in place as soon as they/their registry keys are removed.

[Carl Farrington]

I'm unable to edit the above post since it was moderated.
The purpose of the virustotal links was to get across the mesage that on average nearly 92% of the tested antivirus packages do not detect these files, so instead I'll give the statistics for each file and the virus names that were given, but without naming any antivirus products.

All stats are from VT.com:

First .dll file, ijowavate.dll, recognised by 2/40 scanners (5%). Recognised as: "Trojan:Win32/Hiloti.gen!A" and "High Risk Fraudulent Security Program"

twext.exe, not to be confused with twext.dll (legitimate WinXP file), recognised by 4/40 scanners (10%). Recognised as: "Gen:Trojan.Heur.Dropper.B0F7080808" and "VirTool:Win32/Obfuscator.ES" and "Email-Worm.Win32.Waledac.Gen (v)"

a.exe, same file as twext.exe above.

userinit32.exe, recognised by 5/39 scanners (12.82%). Recognised as:
"TR/Dropper.Gen" and "Gen:Trojan.Heur.Dropper.41629D9D9D" and "Trojan.Win32.Nodef.fga"

usebexuyiruburu.dll, recognised by 2/40 scanners (5%). Recognised as:
"Suspicious File" and "Trojan:Win32/Hiloti.gen!A" (same as first file, but different MD5 hash and only one product recognised it as the same thing).

[Searching_ _ _]

Is Microsoft Antivirus an infector or a deinfector?

[Carl Farrington]

Is it not alarming to people how this is apparently modifying banking pages in-line ? It's got me concerned!

[Searching_ _ _]

Quote:

Microsoft Antivirus (whatever that is) misses this one.

My point is, This Product doesn't exist as a valid tool in name.
Microsoft Antivirus and Win Antivirus were/are malware, no?

After discovering the sleight, How did you determine what files were a threat?

[Fly]

Not to throw fuel on the fire, but have you been using Ultrasurf ?

[JRViejo]

Quote:

Originally Posted by Searching_ _ _

My point is, This Product doesn't exist as a valid tool in name.
Microsoft Antivirus and Win Antivirus were/are malware, no?

Searching_ _ _, the Microsoft engine that VirusTotal uses is actually Windows Defender. VT just states Microsoft under AVs.

@Carl Farrington,
Malwarebytes Anti-Malware would eradicate Trojan.Hiloti, Trojan.Waledac and Trojan.Dropper. Because of the severe infection, the MBAM scan probably needs to run in Safe Mode.

I don't think too many Wilders members would be alarmed at the sight of these Trojans when most of us have seen far worse.

[Carl Farrington]

Quote:

Originally Posted by Searching_ _ _

My point is, This Product doesn't exist as a valid tool in name.
Microsoft Antivirus and Win Antivirus were/are malware, no?

After discovering the sleight, How did you determine what files were a threat?

Kind of figured that it would be Onecare or whatever MIcrosoft currently offers.

I determined they were a threat due to how they were called, e.g. additions to Userinit under Winlogon, HKLM...>RUN>"asedalsedakl" (random characters etc.), and the fact that they were hidden from the Windows API, and the fact that both the symptoms disappeared after their removal, and the re-instigation of the bad registry keys stopped happening after others were removed.

[Carl Farrington]

Quote:

Originally Posted by Fly

Not to throw fuel on the fire, but have you been using Ultrasurf ?

It was a customer's computer, but I'm fairly sure the answer is no.