Remove Whisler, Mebroot, Sinowal Bootkit Virus Phishing Trojan

Remove Whisler, Mebroot, Sinowal Bootkit Virus Phishing Trojan

Infected System
Mebroot will install Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it:
* will steal login and other personal or confidential details from banking websites
* can inject any HTML content into any website (websites can be encrypted with or without EV-SSL.) without detection
* can capture CAPCHA and compromize virtual keyboards
* can use the information in real-time to defeat One-Time-Passwords
* has configuration files for many banking sites so that it knows exactly what to look out for
* is incredibly hard to detect
* works system-wide and therefore any browser is affected. (Yes, you heard right. Firefox and Chrome users are also affected)

So how does it work?
Well, we are still reverse-engineering and analyzing the trojan in detail, however after infecting the Master-Boot-Record, it employs a complicated mechanism to injects itself into the ATAPI Harddrive Driver to then inject core windows components (svchost.exe and services.exe) which then will hook/redirect functions for all processes that are used for internet transmissions. What’s important is that your webbrowser (Internet Explorer, Firefox, Opera, Chrome, …) is infected and they don’t even know it!

So what does Mebroot/MBR/Torpig do?

As said before, it is after your login credentials and personal information and the ability to manipulate this data either in real-time or use at a later date. It will either simply steal your data directly as it is typed or inject HTML code into the banking website to gather additional information.

1) Steal authentication data (including defeating virtual keyboards)

The stolen data is stored locally in a file (c:windowstemprg4sfay in our case) and will then transfer this file to the malicious hosts.

2) Inject HTML Code into the banking website to steal additional data. banking services where additional

information is requested. However as these forms appear after the customer logged in and come from an apparent trusted site, the success rates for the perpetrators of this trojan are much higher and more effective than ever before.

this Trojan injects itsself into various kernel drivers (atapi.sys in this case) . However this injection is only done in memory and no malicious components are ever written to the harddrive. This is why detection from Antivirus Engines is so low.

However as Torpig wants to steal data from your web browser process, it will hook key functions of the webbrowser process by patching the Import Address Table (IAT).

this Trojan injects itsself into various kernel drivers (atapi.sys in this case) . However this injection is only done in memory and no malicious components are ever written to the harddrive. This is why detection from Antivirus Engines is so low.

However as Torpig wants to steal data from your web browser process, it will hook key functions of the webbrowser process by patching the Import Address Table (IAT).

http://ad13.geekstogo.com/MBRCheck.exe

http://www.esagelab.com/

http://www.esagelab.com/resources.php?n=software#bootkit_remover

Full Article by Andreas Baumhof:

http://www.tidos-group.com/blog/?p=125

Leave a Reply