humble3d Posted January 25, 2014 Share Posted January 25, 2014 VBKlip Malware No Network Usage, No Registry Entries and no AV DetectionNew .NET banking malware (VBKlip): no network usage, no registry entries and no AV detectionWe recently blogged about a new strain of malware called VBKlip. This malware was aimed at Polish online banking users. In the last few days a new, revised version of this malware has resurfaced. This new version is written in .NET and has a few new ideas which seem to result in the fact that none of the three samples we were able to obtain were detected by any of the antivirus solutions present on VirusTotal. This is what makes this threat especially dangerous to the users. The new malware spreads as “Adobe Flash Player” and has an icon as the one on the left.Last October,2013, CERTPolska reported detecting a new strain of malware called VBKlip that would change a bank account number to one controlled by the authors whenever a target copied a text that contained their bank account number to the clipboard, enabling them to steal the funds in the transaction.Targets were infected by way of a targeted phishing campaign employing carefully crafted e-mail content designed to entice the recipient to open a tainted PDF attachment that contained a zip archivewith a Windows screen saver file.New versions of the malware have been detected that does not require any network communications resulting in no network signatures being created, and employs no IP addresses or domain names. The malware also does not create any registry entries, and no system activity is detectable aside from the clipboard content replacement.“This edition of VBKlip is very simple. First, it creates a Form, which has one of the dimensions set to zero. It also sets ShowInTaskbar to false, which leads to the malware not being visible in the system, unless users open the Task Manager,” CERTPolska reports.Samples submitted to VirusTotal were not detectable by any of the over 45 different antivirus solutions, and did not even generate one single false positive“This new version is written in .NET and has a few new ideas which seem to result in the fact that none of the three samples we were able to obtain were detected by any of the antivirus solutions present on VirusTotal. This is what makes this threat especially dangerous to the users.”https://www.virustotal.com/en/file/744bae3c6f64cc4c9fb8095d57b54c7d0c827b6f5dc113aa289067f687182fc7/analysis/1389270408https://www.virustotal.com/en/file/0c10aeb3fdf4fb0d36250d12578227599f8f2509861b6e09e27413aeb044dfa0/analysis/1389337563https://www.virustotal.com/en/file/db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653/analysis/1389270408“VBKlip is a new kind of malware, which, due to its simplicity and previously unknown behavior makes it a serious threat. It is more difficult to detect by any network IDS/IPS systems, because it simply does not create any traffic to the C&C,” CERTPolska stated.“Additionally, no antivirus detectability makes it even harder to fight with VBKlip. On the other hand, no persistence means that you simply can restart your computer and get rid of the unwanted behavior.”So far, all variants that have been found are hardcoded for Polish bank accounts, but that may change in time.87182fc7db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653We don’t need no network…This edition of VBKlip is very simple. First, it creates a Form, which has one of the dimensions set to zero. It also sets ShowInTaskbar to false, which leads to the malware not being visible in the system, unless users open the Task Manager.Next, it uses the Microsoft.VisualBasic.MyServices.ClipboardProxy class in order to manipulate the content of the Windows Clipboard. Every second (with the help of Timer class) it compares the contents of clipboard to two Visual Basic regular expressions: ########################## or ## #### #### #### #### #### ####. This is a standard format of Bank Account Numbers used in Poland. If the content matches any of these regular expressions, it is substituted with another bank account number which is simply hardcoded in the application itself. This is the whole functionality of this malware.Much like the Pink Floyd’s song, this malware just wants the security solution vendors to leave it alone. It does not use any network communication, so no network signatures can be created for this sample. No IP addresses or domain names to monitor or take down. It does not acquire any persistence, no registry entries are created. No system activity apart from the clipboard content replacement.This has a very interesting impact. None of the antivirus products, that were available on VirusTotal when the samples were obtained, detected this malware. Not even a false positive from any of the over 45 different antivirus solutions. Links to the reports are provided below.https://www.virustotal.com/en/file/744bae3c6f64cc4c9fb8095d57b54c7d0c827b6f5dc113aa289067f687182fc7/analysis/1389270408https://www.virustotal.com/en/file/0c10aeb3fdf4fb0d36250d12578227599f8f2509861b6e09e27413aeb044dfa0/analysis/1389337563https://www.virustotal.com/en/file/db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653/analysis/1389270408SummaryVBKlip is a new kind of malware, which, due to its simplicity and previously unknown behavior makes it a serious threat. It is more difficult to detect by any network IDS/IPS systems, because it simply does not create any traffic to the C&C. This threat is directed at Polish users – it contains hardcoded Polish bank account numbers and we were not able to obtain any foreign sample. Additionally, no antivirus detectability makes it even harder to fight with VBKlip. On the other hand, no persistence means that you simply can restart your computer and get rid of the unwanted behavior.SHA256 sums of the analyzed samples are provided below.0c10aeb3fdf4fb0d36250d12578227599f8f2509861b6e09e27413aeb044dfa0744bae3c6f64cc4c9fb8095d57b54c7d0c827b6f5dc113aa289067f687182fc7db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653_http://www.tripwire.com/state-of-security/top-security-stories/vbklip-malware-network-usage-registry-entries-av-detection/_http://www.cert.pl/news/7955/langswitch_lang/enMORE:http://www.cert.pl/ Link to comment Share on other sites More sharing options...
Recommended Posts