CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

Trojan Silentbanker

 
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
1shan

Cadet
Cadet


Joined: Apr 04, 2007
Posts: 5
Location: Singapore
PostPosted: Tue Jan 15, 2008 7:04 pm    Post subject: Trojan Silentbanker
Reply with quote

Anyone has samples or more information on this report ?

Symantec Reports

http://www.symantec.com/enterprise/security_response/weblog/2008/01/banking_in_silence.html

The Trojan accesses the following URLs for configuration and incoming and outgoing updates. Customers are advised to block egress access to these domains since any traffic bound for these sites would clearly indicate an infection with 'Trojan.Silentbanker’.
iloveie.info
webcounterstat.info
microcbs.com
reservaza.com
screensaversfor-fun.com
mystabcounter.info
85.255.119.218
The Trojan also installs a copy of Trojan.Flush.J, which changes the user's DNS settings to the following malicious resolvers:
85.255.116.133
85.255.112.87
Back to top
View users profile Send private message
tacktick

MIRT Hunter
Premium Member

Joined: May 19, 2007
Posts: 624
Location: USA
MIRT Premium

PostPosted: Wed Jan 16, 2008 1:16 am    Post subject:
Reply with quote

We've had copies of this for about two weeks.
(that was put on our listserv)
Symantec just got around to finally fully analyzing what it does.

I took a run with it on my virtual machine and have to say that the symantec report is pretty thorough. I dont know what more information you would need.
While this is a nasty one because of the way it hides and steals data, I doubt its very widespread.

I am curious about how or from where it spreads, havent figured that out yet.

dropper
CastleCops Link/postitle211732-0-0-silentbanker.html
dll
CastleCops Link/postitle211740-0-0-silentbanker.html

Detections were decent at that time and now are even better.
Unless there are new variants going around.

Quote:

File auth17.dll received on 01.16.2008 02:01:37 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.1.16.10 2008.01.15 -
AntiVir 7.6.0.48 2008.01.15 TR/Spy.Agent.98304
Authentium 4.93.8 2008.01.15 -
Avast 4.7.1098.0 2008.01.15 Win32:Agent-PQS
AVG 7.5.0.516 2008.01.15 PSW.Generic5.ADTK
BitDefender 7.2 2008.01.16 Trojan.Agent.AGKS
CAT-QuickHeal 9.00 2008.01.15 TrojanPSW.Agent.vx
ClamAV 0.91.2 2008.01.15 Trojan.Spy-19351
DrWeb 4.44.0.09170 2008.01.15 -
eSafe 7.0.15.0 2008.01.15 Win32.Agent.vx
eTrust-Vet 31.3.5461 2008.01.16 Win32/VMalum.BUAJ
Ewido 4.0 2008.01.15 Trojan.Agent.vx
FileAdvisor 1 2008.01.16 -
Fortinet 3.14.0.0 2008.01.16 W32/Agent.VX!tr.pws
F-Prot 4.4.2.54 2008.01.15 W32/Pws.ZYP
F-Secure 6.70.13030.0 2008.01.15 Trojan-PSW.Win32.Agent.vx
Ikarus T3.1.1.20 2008.01.16 Trojan-PWS.Win32.Agent.vx
Kaspersky 7.0.0.125 2008.01.16 Trojan-PSW.Win32.Agent.vx
McAfee 5208 2008.01.15 -
Microsoft 1.3109 2008.01.15 -
NOD32v2 2794 2008.01.15 Win32/Spy.Goldun.NCK
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.15 Trj/Goldun.RK
Prevx1 V2 2008.01.16 TROJAN.AGENT.GEN
Rising 20.27.12.00 2008.01.15 Trojan.Win32.Undef.boh
Sophos 4.24.0 2008.01.15 Mal/Generic-A
Sunbelt 2.2.907.0 2008.01.15 Trojan.Spy.Agent.9
Symantec 10 2008.01.15 Trojan.Silentbanker
TheHacker 6.2.9.187 2008.01.13 Trojan/PSW.Agent.vx
VBA32 3.12.2.5 2008.01.15 Trojan-PSW.Win32.Agent.vx
VirusBuster 4.3.26:9 2008.01.15 -
Webwasher-Gateway 6.6.2 2008.01.15 Trojan.Spy.Agent.98304
Additional information
File size: 98304 bytes
MD5: 786356d231b86f354714021a9c792b2a
SHA1: 847a43c03fec517c1dd76b73e833f51488879ca3
PEiD: -


Quote:

File 5400853hp853b.exe received on 01.16.2008 02:02:33 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.1.16.10 2008.01.15 -
AntiVir 7.6.0.48 2008.01.15 TR/Dldr.JJIL
Authentium 4.93.8 2008.01.15 -
Avast 4.7.1098.0 2008.01.15 Win32:Agent-PQD
AVG 7.5.0.516 2008.01.15 PSW.Agent.RCT
BitDefender 7.2 2008.01.16 Trojan.Downloader.JJIL
CAT-QuickHeal 9.00 2008.01.15 TrojanPSW.Agent.vu
ClamAV 0.91.2 2008.01.15 -
DrWeb 4.44.0.09170 2008.01.15 -
eSafe 7.0.15.0 2008.01.15 suspicious Trojan/Worm
eTrust-Vet 31.3.5461 2008.01.16 Win32/VMalum.BTLC
Ewido 4.0 2008.01.15 Trojan.Agent.vu
FileAdvisor 1 2008.01.16 -
Fortinet 3.14.0.0 2008.01.16 -
F-Prot 4.4.2.54 2008.01.15 W32/Trojan2.LUX
F-Secure 6.70.13030.0 2008.01.15 Trojan-PSW.Win32.Agent.vu
Ikarus T3.1.1.20 2008.01.16 Trojan-PWS.Win32.Agent.vu
Kaspersky 7.0.0.125 2008.01.16 Trojan-PSW.Win32.Agent.vu
McAfee 5208 2008.01.15 Generic PWS.y
Microsoft 1.3109 2008.01.15 -
NOD32v2 2794 2008.01.15 Win32/Spy.Goldun.NCK
Norman 5.80.02 2008.01.16 Suspicious_F.gen
Panda 9.0.0.4 2008.01.15 Trj/Goldun.RL
Prevx1 V2 2008.01.16 -
Rising 20.27.12.00 2008.01.15 Trojan.Win32.Undef.boh
Sophos 4.24.0 2008.01.15 Mal/Packer
Sunbelt 2.2.907.0 2008.01.15 VIPRE.Suspicious
Symantec 10 2008.01.15 Trojan.Silentbanker
TheHacker 6.2.9.187 2008.01.13 -
VBA32 3.12.2.5 2008.01.15 Trojan-PSW.Win32.Agent.vu
VirusBuster 4.3.26:9 2008.01.15 Packed/FSG
Webwasher-Gateway 6.6.2 2008.01.15 Trojan.Dldr.JJIL
Additional information
File size: 54265 bytes
MD5: de26ddabb5deeb775af7426928859aa8
SHA1: a9c981d514c1e2d82ee4f70b8ea972acc3323a76
PEiD: FSG v2.0 -> bart/xt
packers: FSG
packers: FSG
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
132ppm 0.212s (0.036s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer